Analysis Overview
SHA256
e61172cff1b99c47459423990313f06169c2e25c2273036c54780fb8068a7f57
Threat Level: Known bad
The file pub1.exe was found to be: Known bad.
Malicious Activity Summary
Arkei
SmokeLoader
RedLine
RedLine Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Downloads MZ/PE file
Checks BIOS information in registry
Reads user/profile data of web browsers
Loads dropped DLL
Checks computer location settings
Obfuscated with Agile.Net obfuscator
Checks whether UAC is enabled
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Delays execution with timeout.exe
Suspicious behavior: MapViewOfSection
Checks processor information in registry
Checks SCSI registry key(s)
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-19 04:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-19 04:34
Reported
2022-04-19 04:45
Platform
win7-20220414-en
Max time kernel
152s
Max time network
39s
Command Line
Signatures
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\pub1.exe
"C:\Users\Admin\AppData\Local\Temp\pub1.exe"
Network
Files
memory/1692-54-0x0000000075951000-0x0000000075953000-memory.dmp
memory/1692-55-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1692-56-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1692-57-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1692-58-0x0000000000190000-0x00000000001D3000-memory.dmp
memory/1692-59-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1692-60-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1692-61-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1692-62-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1692-63-0x00000000779E0000-0x0000000077B60000-memory.dmp
memory/1692-64-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1312-65-0x00000000026B0000-0x00000000026C6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-19 04:34
Reported
2022-04-19 04:45
Platform
win10v2004-20220414-en
Max time kernel
152s
Max time network
149s
Command Line
Signatures
Arkei
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Executes dropped EXE
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7FD3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7B7C.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7B7C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7B7C.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 540 set thread context of 4196 | N/A | C:\Users\Admin\AppData\Local\Temp\67E2.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1368 set thread context of 4064 | N/A | C:\Users\Admin\AppData\Local\Temp\6D42.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 368 set thread context of 1448 | N/A | C:\Users\Admin\AppData\Local\Temp\730F.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 4512 set thread context of 3808 | N/A | C:\Users\Admin\AppData\Local\Temp\8CC4.exe | C:\Users\Admin\AppData\Local\Temp\8CC4.exe |
| PID 3820 set thread context of 4960 | N/A | C:\Users\Admin\AppData\Local\Temp\7B7C.exe | C:\Users\Admin\AppData\Local\Temp\7B7C.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7B7C.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7B7C.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pub1.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8CC4.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\pub1.exe
"C:\Users\Admin\AppData\Local\Temp\pub1.exe"
C:\Users\Admin\AppData\Local\Temp\67E2.exe
C:\Users\Admin\AppData\Local\Temp\67E2.exe
C:\Users\Admin\AppData\Local\Temp\6D42.exe
C:\Users\Admin\AppData\Local\Temp\6D42.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\730F.exe
C:\Users\Admin\AppData\Local\Temp\730F.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\7B7C.exe
C:\Users\Admin\AppData\Local\Temp\7B7C.exe
C:\Users\Admin\AppData\Local\Temp\7FD3.exe
C:\Users\Admin\AppData\Local\Temp\7FD3.exe
C:\Users\Admin\AppData\Local\Temp\8CC4.exe
C:\Users\Admin\AppData\Local\Temp\8CC4.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\mode.com
mode 65,10
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p96837877381925591435828468 -oextracted
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_10.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_9.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_8.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "hire.exe"
C:\Users\Admin\AppData\Local\Temp\main\hire.exe
"hire.exe"
C:\Users\Admin\AppData\Local\Temp\8CC4.exe
"C:\Users\Admin\AppData\Local\Temp\8CC4.exe"
C:\Users\Admin\AppData\Local\Temp\7B7C.exe
"C:\Users\Admin\AppData\Local\Temp\7B7C.exe"
C:\Users\Admin\AppData\Local\Temp\7B7C.exe
"C:\Users\Admin\AppData\Local\Temp\7B7C.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7B7C.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.133:80 | tcp | |
| US | 20.189.173.2:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 8.8.8.8:53 | hydroxychl0roquine.xyz | udp |
| NL | 37.0.10.25:80 | hydroxychl0roquine.xyz | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | is.gd | udp |
| US | 172.67.83.132:443 | is.gd | tcp |
| NL | 212.192.246.121:80 | 212.192.246.121 | tcp |
| RU | 46.8.220.88:65531 | tcp | |
| RU | 46.8.220.88:65531 | tcp | |
| RU | 193.150.103.38:40169 | tcp | |
| RU | 46.8.220.88:65531 | tcp | |
| FR | 2.58.56.219:39064 | tcp | |
| RU | 92.119.160.244:80 | 92.119.160.244 | tcp |
Files
memory/4672-130-0x0000000002690000-0x00000000026D3000-memory.dmp
memory/4672-131-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/4672-132-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/4672-133-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/4672-134-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/4672-135-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/4672-136-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/4672-137-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/4672-138-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/4672-139-0x00000000770E0000-0x0000000077283000-memory.dmp
memory/4672-140-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/2812-141-0x00000000027D0000-0x00000000027E6000-memory.dmp
memory/540-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\67E2.exe
| MD5 | da31f971f1f97923faf839a21b97c77e |
| SHA1 | 605a73437a1ef081a1896f39abb47435b4db55bd |
| SHA256 | 36f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f |
| SHA512 | dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858 |
C:\Users\Admin\AppData\Local\Temp\67E2.exe
| MD5 | da31f971f1f97923faf839a21b97c77e |
| SHA1 | 605a73437a1ef081a1896f39abb47435b4db55bd |
| SHA256 | 36f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f |
| SHA512 | dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858 |
memory/540-145-0x0000000000D40000-0x0000000000F06000-memory.dmp
memory/540-146-0x0000000000D40000-0x0000000000F06000-memory.dmp
memory/1368-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6D42.exe
| MD5 | da31f971f1f97923faf839a21b97c77e |
| SHA1 | 605a73437a1ef081a1896f39abb47435b4db55bd |
| SHA256 | 36f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f |
| SHA512 | dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858 |
C:\Users\Admin\AppData\Local\Temp\6D42.exe
| MD5 | da31f971f1f97923faf839a21b97c77e |
| SHA1 | 605a73437a1ef081a1896f39abb47435b4db55bd |
| SHA256 | 36f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f |
| SHA512 | dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858 |
memory/1368-150-0x0000000000540000-0x0000000000706000-memory.dmp
memory/540-151-0x00000000012E3000-0x00000000012E5000-memory.dmp
memory/4196-152-0x0000000000000000-mapping.dmp
memory/4196-154-0x0000000000770000-0x0000000000790000-memory.dmp
memory/1368-153-0x0000000000540000-0x0000000000706000-memory.dmp
memory/4064-159-0x0000000000000000-mapping.dmp
memory/4064-160-0x0000000000400000-0x0000000000420000-memory.dmp
memory/368-165-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\730F.exe
| MD5 | da31f971f1f97923faf839a21b97c77e |
| SHA1 | 605a73437a1ef081a1896f39abb47435b4db55bd |
| SHA256 | 36f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f |
| SHA512 | dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858 |
C:\Users\Admin\AppData\Local\Temp\730F.exe
| MD5 | da31f971f1f97923faf839a21b97c77e |
| SHA1 | 605a73437a1ef081a1896f39abb47435b4db55bd |
| SHA256 | 36f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f |
| SHA512 | dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858 |
memory/368-168-0x0000000000300000-0x00000000004C6000-memory.dmp
memory/368-169-0x0000000000300000-0x00000000004C6000-memory.dmp
memory/1448-170-0x0000000000000000-mapping.dmp
memory/3820-176-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7B7C.exe
| MD5 | bb4ce5daeb417b865c58aee98da5b5b8 |
| SHA1 | 2c956c78187157cf9b846af318c1f9ee2dca7b2a |
| SHA256 | 185016d4e5de1f766803ab7c5a5d05475ea38484551f3d500f6074883823d2b2 |
| SHA512 | a8c2563875c71f644a453bbf860e8d2ee9778de3c45e664c43fb2a77ff56934f153e5a39bf08d02f8a5a1b4a7594d75a75ab795fd1e49402f8b9b8ed0c77a58a |
C:\Users\Admin\AppData\Local\Temp\7B7C.exe
| MD5 | bb4ce5daeb417b865c58aee98da5b5b8 |
| SHA1 | 2c956c78187157cf9b846af318c1f9ee2dca7b2a |
| SHA256 | 185016d4e5de1f766803ab7c5a5d05475ea38484551f3d500f6074883823d2b2 |
| SHA512 | a8c2563875c71f644a453bbf860e8d2ee9778de3c45e664c43fb2a77ff56934f153e5a39bf08d02f8a5a1b4a7594d75a75ab795fd1e49402f8b9b8ed0c77a58a |
memory/4716-179-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7FD3.exe
| MD5 | 59fe49e18a0d7e34c341039b9e201a1b |
| SHA1 | 4dcff49906fc3edc5f56597ad5603de95406bd42 |
| SHA256 | 2c03b271f9f6870ba2d36e812d737d841b3fec61d0f1404271af57cfee4610a8 |
| SHA512 | 0f16da2dc9dee0e4779bcfb6cefb06be083ea1cc0c96ae3faa168d3c403f5ebfc8db116159112c25cc491544e355f4c777ff3d9d328794dfc5402e32e1403de5 |
C:\Users\Admin\AppData\Local\Temp\7FD3.exe
| MD5 | 59fe49e18a0d7e34c341039b9e201a1b |
| SHA1 | 4dcff49906fc3edc5f56597ad5603de95406bd42 |
| SHA256 | 2c03b271f9f6870ba2d36e812d737d841b3fec61d0f1404271af57cfee4610a8 |
| SHA512 | 0f16da2dc9dee0e4779bcfb6cefb06be083ea1cc0c96ae3faa168d3c403f5ebfc8db116159112c25cc491544e355f4c777ff3d9d328794dfc5402e32e1403de5 |
memory/4512-182-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8CC4.exe
| MD5 | 33064856b502dff3ad77d3efebe3fb7a |
| SHA1 | 0431b2ca039455d2858792b42f73f19972f6c3aa |
| SHA256 | 84520a2aae782df51d6217b686dabfdde03fca8b0df25099c68cc2c80d7d7f79 |
| SHA512 | d2b840e571a94aaa1f2908d9b9920c7ea261fc5702cc297dc464b69098667229d7f8e043b2aec2f8e0c063a09462cffec3cbb5112336ead639d3558a82389929 |
C:\Users\Admin\AppData\Local\Temp\8CC4.exe
| MD5 | 33064856b502dff3ad77d3efebe3fb7a |
| SHA1 | 0431b2ca039455d2858792b42f73f19972f6c3aa |
| SHA256 | 84520a2aae782df51d6217b686dabfdde03fca8b0df25099c68cc2c80d7d7f79 |
| SHA512 | d2b840e571a94aaa1f2908d9b9920c7ea261fc5702cc297dc464b69098667229d7f8e043b2aec2f8e0c063a09462cffec3cbb5112336ead639d3558a82389929 |
memory/4392-185-0x0000000000000000-mapping.dmp
memory/3632-186-0x0000000000000000-mapping.dmp
memory/388-187-0x0000000000000000-mapping.dmp
memory/4512-188-0x00000000009F0000-0x0000000000AA4000-memory.dmp
memory/3820-189-0x0000000000520000-0x0000000000608000-memory.dmp
memory/1396-190-0x0000000000000000-mapping.dmp
memory/1188-191-0x0000000000000000-mapping.dmp
memory/4848-192-0x0000000000000000-mapping.dmp
memory/3820-193-0x0000000005630000-0x0000000005BD4000-memory.dmp
memory/3820-194-0x0000000005080000-0x0000000005112000-memory.dmp
memory/716-195-0x0000000000000000-mapping.dmp
memory/1108-196-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 23310452faa9573058dd95589abe54d5 |
| SHA1 | ca087de5446a1b4829f6b8859a60fd3659acab1b |
| SHA256 | 0a22af544e8bc2a875a2250aaa7e8e4fa6a80db07ed445a3eae66e139f557e3f |
| SHA512 | d7c69f625e1f67fc44701701b4d42dfb438938070906c24ca696f42c750ef56ff8767d13248c09311a3960f443d8e874e38c1e4895ff16ee2ec6dc50db8dc383 |
memory/3820-198-0x0000000005120000-0x00000000051BC000-memory.dmp
memory/1272-199-0x0000000000000000-mapping.dmp
memory/2548-200-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | 7652cbda786d25849465df3a97c7734c |
| SHA1 | c032fa46d521ac3600aecfc0834d5b9e9ee01eb4 |
| SHA256 | 3a36e2a92498bd67a995494a824530bc21af69f12a2096f3936c1690689c9bcc |
| SHA512 | 0231e513358a448a35f6c20ee2e258f548875fdf96d19b6802cdeaa2e063750a1a336a418a0099747fe6bb9edd21ba00f7d7a08afeacc375ac5eaa82ed11b163 |
memory/2180-202-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
memory/4756-206-0x0000000000000000-mapping.dmp
memory/1712-207-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zip
| MD5 | 39310851cf735eb4c44bec45e7b52f56 |
| SHA1 | 6c252ec2888666fa7291b308b5ca81d671ee8cb2 |
| SHA256 | 1604e7fef8cc5e57b2bd27f157c109d457abb71f83523be6a5d3d52c328a3e22 |
| SHA512 | efa080e1fb5091904b17c9e26dc9f9659166b53dea38e6c014d951a3f3af3554e86b49d3fec7bdca9890831f64b667f70eb740fffe942fa0644de5966dac6476 |
memory/2428-211-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip
| MD5 | e099eeccef9a744d937027fff0494bf4 |
| SHA1 | de556ac552a015dde90391ea36753cd356b9a712 |
| SHA256 | 918af62ee7bfdf7828788247dbec453d91dbefdc0371e2331870fde23b9c1bdb |
| SHA512 | 321197e937f5ec595af2dcc7344ccb8f10299a0f94408d57a9da0c7f0832f6698d70b375a8da3c4a21c27acd988f2e161d1d92c93aec0c9bbc7ecf86b9660467 |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
memory/2860-215-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip
| MD5 | 7886946b4ef0e55bd5cc6fbc39ca3155 |
| SHA1 | 1a8d82ba47842c038170b8136af62f3591b8ebd9 |
| SHA256 | 26a8c1b5f0165b32a3b64940123913587c8545c085f1742da7569981de96e2a7 |
| SHA512 | 8671edfddd4e1a0948c4e04026a2532ae6319d45c1b58e248f0faf41c96bbdfd4442d01be5a6e20711e817c9dfb5f15cc44de27839754f8803336ee1b00512bb |
memory/3444-219-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
| MD5 | bbae2a6a6e1d982f12ed3e1b07bb853d |
| SHA1 | ac4a1312148b15f14f987e73dce9a8d51240ee54 |
| SHA256 | cc8967c77f6688d5924a4bdf4f6b85a277beabf2d22084eedc10b746475ee816 |
| SHA512 | e9014c834541b55284ae58f864ad1e5e723c4cc1022a8462affe46bd3b5a5142e656fa30e93d287d3823712c9b25b625ba86fd4cda1c4f90a78983c291a0660d |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
memory/3800-223-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
| MD5 | d0636c61c69dc5105ff387bce4e94664 |
| SHA1 | e95ff25907848e380b872defef189670cf887399 |
| SHA256 | bfaa59e4f3fe92d28c60360a01edc98b65416d799e1c7fcc1704d656c07ae89b |
| SHA512 | 94efc4b118bb6dbb0d19d436ae5621fa1251e920cda7d0c9c43127d96279656e00403f41e268e3d78c87521f28179ecbf7c318f86ddba071fd0a87e265f2779f |
memory/1904-227-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | 0cccbed96119ca7d63ddb52bd30d3237 |
| SHA1 | cb16b5288f7798dcb506c5dfe7ac5b5d163a23ca |
| SHA256 | 41fb5c18901ea46678070a748bfbd78852ceacc50e8d83f7fcafad5c6a5682f0 |
| SHA512 | 490eedf17541fc4b5f761e3575644c7cb4461b0fd49482020534ceb54d68c62be4a70f897c288a46c6450d4c4b82467fc39130b79c8a6ea2c825ae226cf3887a |
memory/2304-231-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | 101e6ca25c3c06778d7b6ebd1b08a2f9 |
| SHA1 | 2721161c15c19a0d95a292b0f1df35a318637619 |
| SHA256 | 33a661b87c7687d558d9f0eb137ee33f45b1a40d4619631c1338358e9fa1e597 |
| SHA512 | 6a30d7ce5c476ddf7df2197ffdebb81a36404bcb84b63ec04605243b9893a7349cf885480ccc70a254a1b2d74f1ed7f158cf0c58f7018c32a13f65d762cde817 |
memory/1876-235-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | f26147e97764126d6e9ba110f95ca85b |
| SHA1 | 219f2548f4881a81c4ea68c78f7bf10f025a9034 |
| SHA256 | d61fd6fd4576641a58d86fbbc228367b31ba38631a99ba35d8b3a3c45d8c44a5 |
| SHA512 | e283e077151d15cd29f198290c423abb4300312134d0057a0b37ea73bc067a6026af01b0d6bbef5c00485d8d4c5c823400ec6ce64047307152a51337a89de80d |
memory/1556-239-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | c67927df1f6589561a638767efb6dd72 |
| SHA1 | 184cf259595c35ff6a45dc834fce589c1496694c |
| SHA256 | 7f6445e0c575ef209c4ae787c56fd89806320dc4b0903ea2f1a1c33f6b117f74 |
| SHA512 | c20cb8a6ad0ac996cd9711bc7acca235a93f63572d1175518057ad243c392dba55661fea6a6318031d5bc9aa23a7406cbcbb4c6a5bd16cf14567ed1be636aa72 |
memory/3000-243-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | dca60c629952ec7a5a4d36965f5b20c6 |
| SHA1 | 9d612cca5ba683bf9c8515eab264a38b03403870 |
| SHA256 | bef44d7d8f627d2ff2e829614b3439cc71be4d18a1760b076f61fd9d2366f3b7 |
| SHA512 | 41a3ef66b0b62ea5678a358628890e9f127181ee6a8ac7895325d305997e3b6c41a1ebef493d895a47e2b60c3b4434d3f22b467c25b8efb444adc0b27f9ab996 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\hire.exe
| MD5 | 996fdc6ba853d25224d6f608ea28cc15 |
| SHA1 | 0a6cdd4c1450ceafd82644b7fbb9aafb845033e4 |
| SHA256 | cddb3040a3feb3dd11945f4bb2e5ec21754d0f1ac8eb47644f5aaada8136a7d2 |
| SHA512 | 0c720655d076f193d927c54467ce3b4c4942ef705a09fe97055cbc20cf11464437b6a51427ec4872c458096bdb84a82f7e67c8338953a5b27ce7bc779a50b0a2 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
| MD5 | c21255332a07477b3878619d85ae1504 |
| SHA1 | 72310b5ef8dce97aa730b95bd8ad1d717720d262 |
| SHA256 | b48fbb856072b5fe578adc21a99e2d07ee631506e8aa0af7e08a468e50d53701 |
| SHA512 | 6b4b02ee1a8dab23d61ddbc443dcfc66b1e4169bc5a0f9f1bdb617ea56f40473671629cf9229923ae55551f85a84552640af692890f5262133ab6c0aa4424582 |
memory/3820-249-0x0000000004FA0000-0x0000000004FAA000-memory.dmp
memory/1956-250-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\main\hire.exe
| MD5 | 996fdc6ba853d25224d6f608ea28cc15 |
| SHA1 | 0a6cdd4c1450ceafd82644b7fbb9aafb845033e4 |
| SHA256 | cddb3040a3feb3dd11945f4bb2e5ec21754d0f1ac8eb47644f5aaada8136a7d2 |
| SHA512 | 0c720655d076f193d927c54467ce3b4c4942ef705a09fe97055cbc20cf11464437b6a51427ec4872c458096bdb84a82f7e67c8338953a5b27ce7bc779a50b0a2 |
memory/2808-251-0x0000000000000000-mapping.dmp
memory/2808-253-0x00000000001B0000-0x00000000001CC000-memory.dmp
memory/4196-254-0x00000000052C0000-0x00000000058D8000-memory.dmp
memory/4196-255-0x0000000004D60000-0x0000000004D72000-memory.dmp
memory/4064-256-0x00000000051F0000-0x00000000052FA000-memory.dmp
memory/4064-257-0x0000000005120000-0x000000000515C000-memory.dmp
memory/2808-258-0x0000000004D90000-0x0000000004DF6000-memory.dmp
memory/2808-259-0x0000000005900000-0x0000000005976000-memory.dmp
memory/2808-260-0x0000000005B00000-0x0000000005B1E000-memory.dmp
memory/2808-261-0x0000000005DD0000-0x0000000005E20000-memory.dmp
memory/4196-262-0x0000000006910000-0x0000000006AD2000-memory.dmp
memory/4196-263-0x0000000007010000-0x000000000753C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | b36b765368ef3d28e0ac71325e064bb3 |
| SHA1 | 8b7a31ece165746c4ce84681841a3e360eb7d946 |
| SHA256 | 76955493b9deaa91c45f42271bd41bb82897b2d79937a0fc09c9102a618a01f4 |
| SHA512 | d2ff0339c4b5e9db27455d95e2407bac7df8ef08a9d0b7cdb6c9a667a53220a4af6ff0e0bfb5134d49f385bf0464c65d4921896b238a0df97085d4cc3900aabe |
memory/3808-265-0x0000000000000000-mapping.dmp
memory/3808-266-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8CC4.exe
| MD5 | 33064856b502dff3ad77d3efebe3fb7a |
| SHA1 | 0431b2ca039455d2858792b42f73f19972f6c3aa |
| SHA256 | 84520a2aae782df51d6217b686dabfdde03fca8b0df25099c68cc2c80d7d7f79 |
| SHA512 | d2b840e571a94aaa1f2908d9b9920c7ea261fc5702cc297dc464b69098667229d7f8e043b2aec2f8e0c063a09462cffec3cbb5112336ead639d3558a82389929 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8CC4.exe.log
| MD5 | d95b93a855f3e54144996d8161bf8d24 |
| SHA1 | 2ffa482f6b897d8b52218b7f16fd9ece35592ef9 |
| SHA256 | 4f7982843d7a822ce15cf5fe8fd3cb39fdcce3660f2bba0cda1e61dc9356cd3b |
| SHA512 | 967d6643c1ad4e6d266e8c711febbb3dd6123d1c62d8317327c96f71f2cc288dcb4bc812cbfdb6ef4e5aaaaa042666c429815eb759629e0e542b213dec27f233 |
memory/4992-269-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7B7C.exe
| MD5 | bb4ce5daeb417b865c58aee98da5b5b8 |
| SHA1 | 2c956c78187157cf9b846af318c1f9ee2dca7b2a |
| SHA256 | 185016d4e5de1f766803ab7c5a5d05475ea38484551f3d500f6074883823d2b2 |
| SHA512 | a8c2563875c71f644a453bbf860e8d2ee9778de3c45e664c43fb2a77ff56934f153e5a39bf08d02f8a5a1b4a7594d75a75ab795fd1e49402f8b9b8ed0c77a58a |
memory/4960-271-0x0000000000000000-mapping.dmp
memory/4960-272-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7B7C.exe
| MD5 | bb4ce5daeb417b865c58aee98da5b5b8 |
| SHA1 | 2c956c78187157cf9b846af318c1f9ee2dca7b2a |
| SHA256 | 185016d4e5de1f766803ab7c5a5d05475ea38484551f3d500f6074883823d2b2 |
| SHA512 | a8c2563875c71f644a453bbf860e8d2ee9778de3c45e664c43fb2a77ff56934f153e5a39bf08d02f8a5a1b4a7594d75a75ab795fd1e49402f8b9b8ed0c77a58a |
memory/4960-275-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4960-276-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4960-277-0x0000000060900000-0x0000000060992000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
C:\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
memory/1672-298-0x0000000000000000-mapping.dmp
memory/1452-299-0x0000000000000000-mapping.dmp