arkei | d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2

Analysis

max time kernel
152s
max time network
152s
platform
windows10_x64
resource
win10-20220414-en
submitted
17-04-2022 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe
Size

362KB
MD5

f3d8a5b25431abe4862b8e302b089732
SHA1

025aa58b827649604eda994ed7e61fc9d9761f21
SHA256

d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2
SHA512

f8e503ed6da1b1e11050baec075ed3da2da33887c783cd8a288b0d951b074cc0c253f64459293d114c188d2e2441ccf75b4f57a4d52336359dfa1f57507ad979

Score

10^/10

arkei redline smokeloader @chelnevreya cheat default install agilenet backdoor discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://hydroxychl0roquine.xyz/

https://hydroxychl0roquine.xyz/

rc4.i32

Extracted

Family

redline

Botnet

@ChelnEvreya

46.8.220.88:65531

Attributes

auth_value
d24bb0cd8742d0e0fba1abfab06e4005

Extracted

Family

redline

Botnet

cheat

91.199.137.32:29712

Extracted

Family

redline

Botnet

install

193.150.103.38:40169

Attributes

auth_value
7b121606198c8456e17d49ab8c2d0e42

Extracted

Family

arkei

Botnet

Default

http://92.119.160.244/Biasdmxit.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\qrbwrwx.exe\","	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1916-129-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1916-134-0x000000000041BC2E-mapping.dmp	family_redline
behavioral1/memory/1556-153-0x000000000041BC2E-mapping.dmp	family_redline
behavioral1/memory/1152-175-0x000000000041BC2E-mapping.dmp	family_redline
behavioral1/memory/3380-198-0x000000000041932E-mapping.dmp	family_redline
behavioral1/memory/3380-196-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 18 IoCs

Processes:

8240.exe8A5F.exe92AD.exe9DE9.exeA481.exeA993.exe9DE9.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exehire.exeA481.exe

pid	process
3096	8240.exe
2732	8A5F.exe
3232	92AD.exe
2976	9DE9.exe
2948	A481.exe
3328	A993.exe
3380	9DE9.exe
2312	7z.exe
3572	7z.exe
1660	7z.exe
3496	7z.exe
3436	7z.exe
688	7z.exe
288	7z.exe
208	7z.exe
3804	7z.exe
3964	hire.exe
3884	A481.exe

Deletes itself 1 IoCs

Processes:

pid process

3044
Loads dropped DLL 11 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeA481.exe

pid process

2312 7z.exe
3572 7z.exe
1660 7z.exe
3496 7z.exe
3436 7z.exe
688 7z.exe
288 7z.exe
208 7z.exe
3804 7z.exe
3884 A481.exe
3884 A481.exe

pid	process
3044

pid	process
2312	7z.exe
3572	7z.exe
1660	7z.exe
3496	7z.exe
3436	7z.exe
688	7z.exe
288	7z.exe
208	7z.exe
3804	7z.exe
3884	A481.exe
3884	A481.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\A481.exe	agile_net
C:\Users\Admin\AppData\Local\Temp\A481.exe	agile_net
behavioral1/memory/2948-191-0x0000000000B90000-0x0000000000C78000-memory.dmp	agile_net
C:\Users\Admin\AppData\Local\Temp\A481.exe	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

Processes:

d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe8240.exe8A5F.exe92AD.exe9DE9.exeA481.exe

description	pid	process	target process
PID 1756 set thread context of 3532	1756	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe
PID 3096 set thread context of 1916	3096	8240.exe	AppLaunch.exe
PID 2732 set thread context of 1556	2732	8A5F.exe	AppLaunch.exe
PID 3232 set thread context of 1152	3232	92AD.exe	AppLaunch.exe
PID 2976 set thread context of 3380	2976	9DE9.exe	9DE9.exe
PID 2948 set thread context of 3884	2948	A481.exe	A481.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

A481.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	A481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	A481.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

308 timeout.exe

pid	process
308	timeout.exe

Modifies registry class 4 IoCs

Processes:

9DE9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\CID\{D3558E25-821F3-72C3-8A52-54A482A54739}\B3589298	9DE9.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\CID	9DE9.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\CID\{D3558E25-821F3-72C3-8A52-54A482A54739}	9DE9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\CID\{D3558E25-821F3-72C3-8A52-54A482A54739}\B3589298\2 = "159021122206117200165108097018043012143072010113"	9DE9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exed4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe

pid	process
1756	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe
1756	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe
3532	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe
3532	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3044

pid	process
3044

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe

pid	process
3532	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe9DE9.exe7z.exe7z.exe7z.exe7z.exe7z.exe

description	pid	process
Token: SeDebugPrivilege	1756	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeDebugPrivilege	3380	9DE9.exe
Token: SeRestorePrivilege	2312	7z.exe
Token: 35	2312	7z.exe
Token: SeSecurityPrivilege	2312	7z.exe
Token: SeSecurityPrivilege	2312	7z.exe
Token: SeRestorePrivilege	3572	7z.exe
Token: 35	3572	7z.exe
Token: SeSecurityPrivilege	3572	7z.exe
Token: SeSecurityPrivilege	3572	7z.exe
Token: SeRestorePrivilege	1660	7z.exe
Token: 35	1660	7z.exe
Token: SeSecurityPrivilege	1660	7z.exe
Token: SeSecurityPrivilege	1660	7z.exe
Token: SeRestorePrivilege	3496	7z.exe
Token: 35	3496	7z.exe
Token: SeSecurityPrivilege	3496	7z.exe
Token: SeSecurityPrivilege	3496	7z.exe
Token: SeRestorePrivilege	3436	7z.exe
Token: 35	3436	7z.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe8240.exe8A5F.exe92AD.exe9DE9.exeA993.execmd.exe

description	pid	process	target process
PID 1756 wrote to memory of 3532	1756	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe
PID 1756 wrote to memory of 3532	1756	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe
PID 1756 wrote to memory of 3532	1756	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe
PID 1756 wrote to memory of 3532	1756	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe
PID 1756 wrote to memory of 3532	1756	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe
PID 1756 wrote to memory of 3532	1756	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe	d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe
PID 3044 wrote to memory of 3096	3044		8240.exe
PID 3044 wrote to memory of 3096	3044		8240.exe
PID 3044 wrote to memory of 3096	3044		8240.exe
PID 3096 wrote to memory of 1916	3096	8240.exe	AppLaunch.exe
PID 3096 wrote to memory of 1916	3096	8240.exe	AppLaunch.exe
PID 3096 wrote to memory of 1916	3096	8240.exe	AppLaunch.exe
PID 3096 wrote to memory of 1916	3096	8240.exe	AppLaunch.exe
PID 3096 wrote to memory of 1916	3096	8240.exe	AppLaunch.exe
PID 3044 wrote to memory of 2732	3044		8A5F.exe
PID 3044 wrote to memory of 2732	3044		8A5F.exe
PID 3044 wrote to memory of 2732	3044		8A5F.exe
PID 2732 wrote to memory of 1556	2732	8A5F.exe	AppLaunch.exe
PID 2732 wrote to memory of 1556	2732	8A5F.exe	AppLaunch.exe
PID 2732 wrote to memory of 1556	2732	8A5F.exe	AppLaunch.exe
PID 2732 wrote to memory of 1556	2732	8A5F.exe	AppLaunch.exe
PID 2732 wrote to memory of 1556	2732	8A5F.exe	AppLaunch.exe
PID 3044 wrote to memory of 3232	3044		92AD.exe
PID 3044 wrote to memory of 3232	3044		92AD.exe
PID 3044 wrote to memory of 3232	3044		92AD.exe
PID 3232 wrote to memory of 1152	3232	92AD.exe	AppLaunch.exe
PID 3232 wrote to memory of 1152	3232	92AD.exe	AppLaunch.exe
PID 3232 wrote to memory of 1152	3232	92AD.exe	AppLaunch.exe
PID 3232 wrote to memory of 1152	3232	92AD.exe	AppLaunch.exe
PID 3232 wrote to memory of 1152	3232	92AD.exe	AppLaunch.exe
PID 3044 wrote to memory of 2976	3044		9DE9.exe
PID 3044 wrote to memory of 2976	3044		9DE9.exe
PID 3044 wrote to memory of 2976	3044		9DE9.exe
PID 3044 wrote to memory of 2948	3044		A481.exe
PID 3044 wrote to memory of 2948	3044		A481.exe
PID 3044 wrote to memory of 2948	3044		A481.exe
PID 2976 wrote to memory of 3380	2976	9DE9.exe	9DE9.exe
PID 2976 wrote to memory of 3380	2976	9DE9.exe	9DE9.exe
PID 2976 wrote to memory of 3380	2976	9DE9.exe	9DE9.exe
PID 2976 wrote to memory of 3380	2976	9DE9.exe	9DE9.exe
PID 2976 wrote to memory of 3380	2976	9DE9.exe	9DE9.exe
PID 2976 wrote to memory of 3380	2976	9DE9.exe	9DE9.exe
PID 2976 wrote to memory of 3380	2976	9DE9.exe	9DE9.exe
PID 2976 wrote to memory of 3380	2976	9DE9.exe	9DE9.exe
PID 3044 wrote to memory of 3328	3044		A993.exe
PID 3044 wrote to memory of 3328	3044		A993.exe
PID 3044 wrote to memory of 3328	3044		A993.exe
PID 3044 wrote to memory of 1380	3044		explorer.exe
PID 3044 wrote to memory of 1380	3044		explorer.exe
PID 3044 wrote to memory of 1380	3044		explorer.exe
PID 3044 wrote to memory of 1380	3044		explorer.exe
PID 3044 wrote to memory of 1780	3044		explorer.exe
PID 3044 wrote to memory of 1780	3044		explorer.exe
PID 3044 wrote to memory of 1780	3044		explorer.exe
PID 3044 wrote to memory of 2196	3044		explorer.exe
PID 3044 wrote to memory of 2196	3044		explorer.exe
PID 3044 wrote to memory of 2196	3044		explorer.exe
PID 3044 wrote to memory of 2196	3044		explorer.exe
PID 3328 wrote to memory of 564	3328	A993.exe	cmd.exe
PID 3328 wrote to memory of 564	3328	A993.exe	cmd.exe
PID 564 wrote to memory of 288	564	cmd.exe	mode.com
PID 564 wrote to memory of 288	564	cmd.exe	mode.com
PID 3044 wrote to memory of 32	3044		explorer.exe
PID 3044 wrote to memory of 32	3044		explorer.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3916 attrib.exe

pid	process
3916	attrib.exe

C:\Users\Admin\AppData\Local\Temp\d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe
"C:\Users\Admin\AppData\Local\Temp\d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe
C:\Users\Admin\AppData\Local\Temp\d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3532

C:\Users\Admin\AppData\Local\Temp\8240.exe
C:\Users\Admin\AppData\Local\Temp\8240.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\8A5F.exe
C:\Users\Admin\AppData\Local\Temp\8A5F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\92AD.exe
C:\Users\Admin\AppData\Local\Temp\92AD.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\9DE9.exe
C:\Users\Admin\AppData\Local\Temp\9DE9.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976

C:\Users\Admin\AppData\Local\Temp\9DE9.exe
"C:\Users\Admin\AppData\Local\Temp\9DE9.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Users\Admin\AppData\Local\Temp\A481.exe
C:\Users\Admin\AppData\Local\Temp\A481.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2948

C:\Users\Admin\AppData\Local\Temp\A481.exe
"C:\Users\Admin\AppData\Local\Temp\A481.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\A481.exe" & exit
3⤵
PID:164

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
4⤵
- Delays execution with timeout.exe
PID:308

C:\Users\Admin\AppData\Local\Temp\A993.exe
C:\Users\Admin\AppData\Local\Temp\A993.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
2⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\system32\mode.com
mode 65,10
3⤵
PID:288

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p209905755269222844620273953 -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_8.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:288

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:208

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3804

C:\Windows\system32\attrib.exe
attrib +H "hire.exe"
3⤵
- Views/modifies file attributes
PID:3916

C:\Users\Admin\AppData\Local\Temp\main\hire.exe
"hire.exe"
3⤵
- Executes dropped EXE
PID:3964

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1380

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1780

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2196

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:32

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2740

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3980

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:724

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3156

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9DE9.exe.log
Filesize
1KB

MD5
2ab1ff51a525ac9adb21f89e6a3465ff

SHA1
0d2fde32c3c47cbd62ff44d9cc3bbecb9ee8e742

SHA256
66e44c3fdcb75b99c85e2249d1afc4a6e9e07a66735acabbdb05ac3aef2359ae

SHA512
c9ace4de593bc0826a8ef4c5cb2bb51fdfe7bb12bc80d6c5f939ad8f66a44128aab5d1a1a980249017b888f35303571f6f4cbfb5092c78f327f6f03d01c04477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
2KB

MD5
fdff7763d34d8bbd90a483fa15cc43c2

SHA1
a899ce7079d6c7b4d11acd5f65fbbbeaa62310dc

SHA256
44992c4f941b5de1422794196e2aaf032838313743433f9dabf944782a088957

SHA512
a1be1c190a4f032b4c97ae1384c0cae9ea59137c178cfef8042a096fb628fd484a5fba2dcb7948d40e78ab045ec1348cd35a3acaeb9ac97de30592d64be2dd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\8240.exe
Filesize
1.8MB

MD5
da31f971f1f97923faf839a21b97c77e

SHA1
605a73437a1ef081a1896f39abb47435b4db55bd

SHA256
36f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f

SHA512
dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858

Download Submit
C:\Users\Admin\AppData\Local\Temp\8240.exe
Filesize
1.8MB

MD5
da31f971f1f97923faf839a21b97c77e

SHA1
605a73437a1ef081a1896f39abb47435b4db55bd

SHA256
36f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f

SHA512
dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A5F.exe
Filesize
1.8MB

MD5
da31f971f1f97923faf839a21b97c77e

SHA1
605a73437a1ef081a1896f39abb47435b4db55bd

SHA256
36f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f

SHA512
dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A5F.exe
Filesize
1.8MB

MD5
da31f971f1f97923faf839a21b97c77e

SHA1
605a73437a1ef081a1896f39abb47435b4db55bd

SHA256
36f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f

SHA512
dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858

Download Submit
C:\Users\Admin\AppData\Local\Temp\92AD.exe
Filesize
1.8MB

MD5
da31f971f1f97923faf839a21b97c77e

SHA1
605a73437a1ef081a1896f39abb47435b4db55bd

SHA256
36f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f

SHA512
dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858

Download Submit
C:\Users\Admin\AppData\Local\Temp\92AD.exe
Filesize
1.8MB

MD5
da31f971f1f97923faf839a21b97c77e

SHA1
605a73437a1ef081a1896f39abb47435b4db55bd

SHA256
36f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f

SHA512
dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858

Download Submit
C:\Users\Admin\AppData\Local\Temp\9DE9.exe
Filesize
1.4MB

MD5
7667e279e7b0f60797a5bfa539a4e544

SHA1
866200e814c3a6ae7bcd9c262d2fd8640660cdaa

SHA256
fd7a699fa3dfea1020144a68cb26ebf2d2c95396c3cdaf57c8b4dd5d66b5d58c

SHA512
8c56e636d6029f15b084352de62b324e60649ea4a6680195713b2e32dabc414afbeed7ee6eb7dc01ddee7040bb35d6972b7b5dbbb006bc544ff9f3eeac1d2e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9DE9.exe
Filesize
1.4MB

MD5
7667e279e7b0f60797a5bfa539a4e544

SHA1
866200e814c3a6ae7bcd9c262d2fd8640660cdaa

SHA256
fd7a699fa3dfea1020144a68cb26ebf2d2c95396c3cdaf57c8b4dd5d66b5d58c

SHA512
8c56e636d6029f15b084352de62b324e60649ea4a6680195713b2e32dabc414afbeed7ee6eb7dc01ddee7040bb35d6972b7b5dbbb006bc544ff9f3eeac1d2e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9DE9.exe
Filesize
1.4MB

MD5
7667e279e7b0f60797a5bfa539a4e544

SHA1
866200e814c3a6ae7bcd9c262d2fd8640660cdaa

SHA256
fd7a699fa3dfea1020144a68cb26ebf2d2c95396c3cdaf57c8b4dd5d66b5d58c

SHA512
8c56e636d6029f15b084352de62b324e60649ea4a6680195713b2e32dabc414afbeed7ee6eb7dc01ddee7040bb35d6972b7b5dbbb006bc544ff9f3eeac1d2e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\A481.exe
Filesize
905KB

MD5
bb4ce5daeb417b865c58aee98da5b5b8

SHA1
2c956c78187157cf9b846af318c1f9ee2dca7b2a

SHA256
185016d4e5de1f766803ab7c5a5d05475ea38484551f3d500f6074883823d2b2

SHA512
a8c2563875c71f644a453bbf860e8d2ee9778de3c45e664c43fb2a77ff56934f153e5a39bf08d02f8a5a1b4a7594d75a75ab795fd1e49402f8b9b8ed0c77a58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A481.exe
Filesize
905KB

MD5
bb4ce5daeb417b865c58aee98da5b5b8

SHA1
2c956c78187157cf9b846af318c1f9ee2dca7b2a

SHA256
185016d4e5de1f766803ab7c5a5d05475ea38484551f3d500f6074883823d2b2

SHA512
a8c2563875c71f644a453bbf860e8d2ee9778de3c45e664c43fb2a77ff56934f153e5a39bf08d02f8a5a1b4a7594d75a75ab795fd1e49402f8b9b8ed0c77a58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A481.exe
Filesize
905KB

MD5
bb4ce5daeb417b865c58aee98da5b5b8

SHA1
2c956c78187157cf9b846af318c1f9ee2dca7b2a

SHA256
185016d4e5de1f766803ab7c5a5d05475ea38484551f3d500f6074883823d2b2

SHA512
a8c2563875c71f644a453bbf860e8d2ee9778de3c45e664c43fb2a77ff56934f153e5a39bf08d02f8a5a1b4a7594d75a75ab795fd1e49402f8b9b8ed0c77a58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A993.exe
Filesize
2.3MB

MD5
3736170386bcdccc13b0c3f704f8a9d1

SHA1
6d67415f28172b241946e090170d230b145c4fe4

SHA256
ee99ebb5242fcb97bf73e360b27a7cbc100483e46421b8af6676413fbda19a83

SHA512
df9d874c57af6279175eeeb1bfc0b3c1f0f994b0904f5458b6f4ca12cc9df58cb1819698c9b18e46fee5c93ffdc04e61bf2aff3abb633fe08ed6ac8ee2a7fbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\A993.exe
Filesize
2.3MB

MD5
3736170386bcdccc13b0c3f704f8a9d1

SHA1
6d67415f28172b241946e090170d230b145c4fe4

SHA256
ee99ebb5242fcb97bf73e360b27a7cbc100483e46421b8af6676413fbda19a83

SHA512
df9d874c57af6279175eeeb1bfc0b3c1f0f994b0904f5458b6f4ca12cc9df58cb1819698c9b18e46fee5c93ffdc04e61bf2aff3abb633fe08ed6ac8ee2a7fbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
Filesize
2.0MB

MD5
77c466f1a57731267dd6033008ff7fc6

SHA1
4233a4b6839ee4599ba5c2d557f11d9c5b6f355d

SHA256
202a9782b2dd3caee4cc12245b6f36106e50386fc4ff62f7ce1ff42254b1dec8

SHA512
12d790fd9b518e40635d2eb16a08e82afd3d4cee1e657869031bc7b774afe4128a54831758832c961bd1dd419cc98d37d44c842cdbeba4c79de5720568582b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
Filesize
37KB

MD5
75330da3baf88648e23c6be092bfdf61

SHA1
7eca657f0213b464580bebb5b39a891125412db1

SHA256
1f5fde770b7b7a9c139067b6532fd3aa36d876e3add5ec28803cbfb1b474b728

SHA512
96c2d16fae8dd3634cc5146c1ad4785028827aee4a24ad7f3c6402a69243f9b16b0de0b0ea5077e9bba90ae5d4e287f73adf23d021ab466cd2fbf1b65f96f90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
Filesize
37KB

MD5
568c23dddb42563988caaeef42f2978e

SHA1
9b72db80df21d50b3db56af07021cfa290cd8041

SHA256
525af755e017ac360a0777a49c8a3f003ea401f08c20a32608554a6c6cfe3fc2

SHA512
f673bbc7a3bab4dea707c43cfbfc130a780c8fbaf6ce5b044dd7cafc981ce98ff79a2912eec0b2ab6857e791984b7da5b146ba4d402d5e2ff9573a2d6f0467ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
Filesize
37KB

MD5
60ac64856a3064fc8b10dda9503b6ca2

SHA1
d0b5cee78989490574c5759016d90896cc5a4e00

SHA256
e5be5a2935b1afcfc714a8d5e5dceecb0f9881bd7949ae7c59bd2d1a4c7f0990

SHA512
c1d5f29713799ffefbbd68926efe60bf1087540c0401475fd66ee49d2e86b9a65ee9bc4f8d32fc7e0ab7041d36360c6590cb28bb5e6ddee09a06a88382ad73ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
Filesize
37KB

MD5
9fc1092c8c6f11684b7c752a13d214ab

SHA1
2bfd7f4dccbf0d94ff89bbad811b52ab5e0dbc4c

SHA256
75f87e8530420f69343533a1665e0ee8fbbe7241f8243c137c3f25f7bf7af6d8

SHA512
a438139fab10703675944f81e1a2e2d3e44c76a75a8f8d23ac22510819c77a5b1b65969f7956cf249da67f2bc98ab6797f3390027eb12251104e0ce03c98d742

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
Filesize
37KB

MD5
c03d8e372b7a3a7f8cafc37024a337bf

SHA1
fc31818dbf103f21fa4ebb4317dbb26b9b127028

SHA256
1e19542eb3116236a0e1ffa00e0ff00364ae035868df8c23baa0e6a5237c42e8

SHA512
604837ce807d0277718a1fef974fa45f87528f2286f03f4e716b1a2b8b0e76466f115b87312e136b83fdc12fec4e84ce18a819af591c1d0c72448a3e4cd62328

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
Filesize
38KB

MD5
e5ecfc2bcb9aa5af021c9b8119938f95

SHA1
2fa59301ccc0079e96caec3f74772478f44419a7

SHA256
f63970371f3020dda925d39de004e2ac03e362436a882736d8b7bf3e0ff7cc41

SHA512
54a6f386eff85b6dc91d7d4dcd2d76a77de2ca79f410b81d83206bd1b211022ae3340ead651c298aefb248b076c3dc9aaed089b1fd7844fb8388070247005b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
Filesize
38KB

MD5
a1c810f10a62f5fe5938226bda14097c

SHA1
85bad823f978d0ed56818eeca4096676ff41df79

SHA256
7f736b77722a4a7876b298cae746d05a8e33cf675d0796d2adf8bf1f0f6593ab

SHA512
0343634d4f504a7ea0dd005735ea5705325ee57319b7d6a13f19112f0ba5b1c40e3350e0b5d0e0fe7f834f93834c4b4f103965b310a02ed3172a4359ef049676

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip
Filesize
1.5MB

MD5
0477dc33f59826766713cd5cc837e842

SHA1
d674d275ef5c4e2b0f847a2fb635c0193996ccb4

SHA256
f818c61438e6f1cb05d52e10d02b47921ad721f8924a35a96a2791470fc2d4c0

SHA512
4751e46dba8063e8283ab974ab13722920f797c3c1cb6a581fbd8e06225596696b91331ddb76e1f9d24266c5121dcedc9de00b1f7e2c2e27d4c65e68cb237acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\hire.exe
Filesize
88KB

MD5
996fdc6ba853d25224d6f608ea28cc15

SHA1
0a6cdd4c1450ceafd82644b7fbb9aafb845033e4

SHA256
cddb3040a3feb3dd11945f4bb2e5ec21754d0f1ac8eb47644f5aaada8136a7d2

SHA512
0c720655d076f193d927c54467ce3b4c4942ef705a09fe97055cbc20cf11464437b6a51427ec4872c458096bdb84a82f7e67c8338953a5b27ce7bc779a50b0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin
Filesize
1.5MB

MD5
add1f42615e4e85b9563292d57a0c8fc

SHA1
831aa6be42ac1d19230a6032966728d3daf7b705

SHA256
6d71e66ac56fb115c29204512b8b5349b0e9f2bd7be50610b2afa28c963deebf

SHA512
e61a7acfedf501e402d0af3103f689ad090fd70925ef3ce477496ee5e38a4619f11086a85a5c299de25dc4d510ca56118a39f85e85a175dd808108205d0ead3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\hire.exe
Filesize
88KB

MD5
996fdc6ba853d25224d6f608ea28cc15

SHA1
0a6cdd4c1450ceafd82644b7fbb9aafb845033e4

SHA256
cddb3040a3feb3dd11945f4bb2e5ec21754d0f1ac8eb47644f5aaada8136a7d2

SHA512
0c720655d076f193d927c54467ce3b4c4942ef705a09fe97055cbc20cf11464437b6a51427ec4872c458096bdb84a82f7e67c8338953a5b27ce7bc779a50b0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat
Filesize
455B

MD5
cf691da695f5b0737c5da88d47c1392d

SHA1
596cb60d1003ea72c6d900de7bbde882667e072b

SHA256
25dc4c4fa7ec77a38f19e8d45113ead3ec27a26f6e75c37c8b89bf7b377c9c74

SHA512
73dc0009e379970c755c26503ce690596e85b3bcffa3fd820c5b82f53a8573cc5c83e01c88d02dae49ade97d7b953047a94fa0c2b2170b9489be70afd7eb1f23

Download Submit
\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
memory/32-226-0x0000000000000000-mapping.dmp

Download
memory/164-1329-0x0000000000000000-mapping.dmp

Download
memory/208-389-0x0000000000000000-mapping.dmp

Download
memory/288-379-0x0000000000000000-mapping.dmp

Download
memory/288-225-0x0000000000000000-mapping.dmp

Download
memory/308-1330-0x0000000000000000-mapping.dmp

Download
memory/564-223-0x0000000000000000-mapping.dmp

Download
memory/688-358-0x0000000000000000-mapping.dmp

Download
memory/724-516-0x0000000000000000-mapping.dmp

Download
memory/1152-514-0x000000000ABE0000-0x000000000ADA2000-memory.dmp

Filesize
1.8MB

Download
memory/1152-175-0x000000000041BC2E-mapping.dmp

Download
memory/1152-207-0x0000000009570000-0x00000000095D6000-memory.dmp

Filesize
408KB

Download
memory/1152-515-0x000000000B2E0000-0x000000000B80C000-memory.dmp

Filesize
5.2MB

Download
memory/1380-203-0x0000000000000000-mapping.dmp

Download
memory/1556-153-0x000000000041BC2E-mapping.dmp

Download
memory/1660-243-0x0000000000000000-mapping.dmp

Download
memory/1756-114-0x0000000000AD0000-0x0000000000B38000-memory.dmp

Filesize
416KB

Download
memory/1756-119-0x00000000055C0000-0x00000000055F0000-memory.dmp

Filesize
192KB

Download
memory/1756-116-0x0000000009820000-0x00000000098B2000-memory.dmp

Filesize
584KB

Download
memory/1756-115-0x0000000009E60000-0x000000000A35E000-memory.dmp

Filesize
5.0MB

Download
memory/1756-117-0x00000000098D0000-0x00000000098DA000-memory.dmp

Filesize
40KB

Download
memory/1756-118-0x000000000C620000-0x000000000C79A000-memory.dmp

Filesize
1.5MB

Download
memory/1780-209-0x0000000000000000-mapping.dmp

Download
memory/1916-142-0x0000000009010000-0x000000000911A000-memory.dmp

Filesize
1.0MB

Download
memory/1916-129-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1916-144-0x0000000008F60000-0x0000000008F9E000-memory.dmp

Filesize
248KB

Download
memory/1916-204-0x0000000009290000-0x0000000009306000-memory.dmp

Filesize
472KB

Download
memory/1916-208-0x0000000009B90000-0x0000000009BAE000-memory.dmp

Filesize
120KB

Download
memory/1916-140-0x0000000008EE0000-0x0000000008EF2000-memory.dmp

Filesize
72KB

Download
memory/1916-147-0x0000000008FA0000-0x0000000008FEB000-memory.dmp

Filesize
300KB

Download
memory/1916-138-0x0000000009460000-0x0000000009A66000-memory.dmp

Filesize
6.0MB

Download
memory/1916-134-0x000000000041BC2E-mapping.dmp

Download
memory/2196-218-0x0000000000000000-mapping.dmp

Download
memory/2312-228-0x0000000000000000-mapping.dmp

Download
memory/2732-139-0x0000000000000000-mapping.dmp

Download
memory/2732-146-0x0000000000320000-0x00000000004E6000-memory.dmp

Filesize
1.8MB

Download
memory/2732-145-0x0000000000320000-0x00000000004E6000-memory.dmp

Filesize
1.8MB

Download
memory/2740-290-0x0000000000000000-mapping.dmp

Download
memory/2948-1301-0x00000000060D0000-0x00000000060FE000-memory.dmp

Filesize
184KB

Download
memory/2948-188-0x0000000000000000-mapping.dmp

Download
memory/2948-1300-0x0000000007590000-0x0000000007602000-memory.dmp

Filesize
456KB

Download
memory/2948-191-0x0000000000B90000-0x0000000000C78000-memory.dmp

Filesize
928KB

Download
memory/2948-193-0x00000000059E0000-0x00000000059EA000-memory.dmp

Filesize
40KB

Download
memory/2976-195-0x0000000005740000-0x000000000575C000-memory.dmp

Filesize
112KB

Download
memory/2976-194-0x0000000005C70000-0x0000000005CAC000-memory.dmp

Filesize
240KB

Download
memory/2976-187-0x00000000051D0000-0x000000000526C000-memory.dmp

Filesize
624KB

Download
memory/2976-183-0x0000000000000000-mapping.dmp

Download
memory/2976-186-0x0000000000800000-0x0000000000970000-memory.dmp

Filesize
1.4MB

Download
memory/2976-192-0x00000000056D0000-0x0000000005726000-memory.dmp

Filesize
344KB

Download
memory/3044-123-0x00000000014C0000-0x00000000014D6000-memory.dmp

Filesize
88KB

Download
memory/3096-124-0x0000000000000000-mapping.dmp

Download
memory/3096-127-0x0000000000A20000-0x0000000000BE6000-memory.dmp

Filesize
1.8MB

Download
memory/3096-128-0x0000000000A20000-0x0000000000BE6000-memory.dmp

Filesize
1.8MB

Download
memory/3156-548-0x0000000000000000-mapping.dmp

Download
memory/3180-697-0x0000000000000000-mapping.dmp

Download
memory/3232-157-0x0000000000000000-mapping.dmp

Download
memory/3232-162-0x0000000000810000-0x00000000009D6000-memory.dmp

Filesize
1.8MB

Download
memory/3232-160-0x0000000000810000-0x00000000009D6000-memory.dmp

Filesize
1.8MB

Download
memory/3328-197-0x0000000000000000-mapping.dmp

Download
memory/3380-198-0x000000000041932E-mapping.dmp

Download
memory/3380-196-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3436-332-0x0000000000000000-mapping.dmp

Download
memory/3496-285-0x0000000000000000-mapping.dmp

Download
memory/3532-121-0x0000000000402EF6-mapping.dmp

Download
memory/3532-122-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3532-120-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3572-238-0x0000000000000000-mapping.dmp

Download
memory/3804-488-0x0000000000000000-mapping.dmp

Download
memory/3884-1307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3884-1303-0x0000000000408430-mapping.dmp

Download
memory/3884-1306-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3884-1302-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3884-1308-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/3916-504-0x0000000000000000-mapping.dmp

Download
memory/3964-511-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/3964-507-0x0000000000000000-mapping.dmp

Download
memory/3964-945-0x0000000006580000-0x00000000065D0000-memory.dmp

Filesize
320KB

Download
memory/3980-403-0x0000000000000000-mapping.dmp

Download