redline | 122b25706253072fe0ee6d45c913a50805f90d2c9c16a22137c7bf34a1046295

Analysis

max time kernel
150s
max time network
149s
platform
windows10_x64
resource
win10-20220414-en
submitted
22-05-2022 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

122b25706253072fe0ee6d45c913a50805f90d2c9c16a22137c7bf34a1046295.exe
Size

305KB
MD5

f62d1cbed2b3821765b5df85a16f93e6
SHA1

d2d861a3ea63c80b3b65d74e7de3959bb31629d5
SHA256

122b25706253072fe0ee6d45c913a50805f90d2c9c16a22137c7bf34a1046295
SHA512

0885f0bd7091f8c172f491ce5b192bf544e2982ea95834c1b1d4a45b4ae11be7a400184b1b2a97537f73a705b2cb8668996e3707f2d280ed611250057a5b6fe7

Score

10^/10

redline smokeloader 1 backdoor collection evasion infostealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://bahninfo.at/upload/

http://img4mobi.com/upload/

http://equix.ru/upload/

http://worldalltv.com/upload/

http://negarehgallery.com/upload/

http://lite-server.ru/upload/

http://piratia/su/upload/

http://go-piratia.ru/upload/

http://monsutiur4.com/

http://nusurionuy5ff.at/

http://moroitomo4.net/

http://susuerulianita1.net/

http://cucumbetuturel4.com/

http://nunuslushau.com/

http://linislominyt11.at/

http://luxulixionus.net/

http://lilisjjoer44.com/

http://nikogminut88.at/

http://limo00ruling.org/

http://mini55tunul.com/

rc4.i32

Extracted

Family

redline

Botnet

45.10.43.167:26696

Attributes

auth_value
3a70a3e2f548aaf61e05be9e4cadc7c1

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/868-420-0x0000000000890000-0x0000000000DB2000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

AC4D.exeCA27.exe9E31.exe7z.exe7z.exe7z.exe7z.exebenbenben.exe

pid process

2444 AC4D.exe
2880 CA27.exe
752 9E31.exe
200 7z.exe
2296 7z.exe
3916 7z.exe
512 7z.exe
868 benbenben.exe

pid	process
2444	AC4D.exe
2880	CA27.exe
752	9E31.exe
200	7z.exe
2296	7z.exe
3916	7z.exe
512	7z.exe
868	benbenben.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

benbenben.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	benbenben.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	benbenben.exe

Deletes itself 1 IoCs

Processes:

pid process

3056
Loads dropped DLL 4 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe

pid process

200 7z.exe
2296 7z.exe
3916 7z.exe
512 7z.exe

pid	process
3056

pid	process
200	7z.exe
2296	7z.exe
3916	7z.exe
512	7z.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

benbenben.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA benbenben.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2212 2880 WerFault.exe CA27.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	benbenben.exe

pid	pid_target	process	target process
2212	2880	WerFault.exe	CA27.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

122b25706253072fe0ee6d45c913a50805f90d2c9c16a22137c7bf34a1046295.exeAC4D.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	122b25706253072fe0ee6d45c913a50805f90d2c9c16a22137c7bf34a1046295.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	122b25706253072fe0ee6d45c913a50805f90d2c9c16a22137c7bf34a1046295.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	122b25706253072fe0ee6d45c913a50805f90d2c9c16a22137c7bf34a1046295.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AC4D.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AC4D.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AC4D.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

122b25706253072fe0ee6d45c913a50805f90d2c9c16a22137c7bf34a1046295.exe

pid	process
1660	122b25706253072fe0ee6d45c913a50805f90d2c9c16a22137c7bf34a1046295.exe
1660	122b25706253072fe0ee6d45c913a50805f90d2c9c16a22137c7bf34a1046295.exe
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3056
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

122b25706253072fe0ee6d45c913a50805f90d2c9c16a22137c7bf34a1046295.exeAC4D.exe

pid process

1660 122b25706253072fe0ee6d45c913a50805f90d2c9c16a22137c7bf34a1046295.exe
2444 AC4D.exe
3056
3056
3056
3056

pid	process
3056

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe

description	pid	process
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeRestorePrivilege	200	7z.exe
Token: 35	200	7z.exe
Token: SeSecurityPrivilege	200	7z.exe
Token: SeSecurityPrivilege	200	7z.exe
Token: SeRestorePrivilege	2296	7z.exe
Token: 35	2296	7z.exe
Token: SeSecurityPrivilege	2296	7z.exe
Token: SeSecurityPrivilege	2296	7z.exe
Token: SeRestorePrivilege	3916	7z.exe
Token: 35	3916	7z.exe
Token: SeSecurityPrivilege	3916	7z.exe
Token: SeSecurityPrivilege	3916	7z.exe
Token: SeRestorePrivilege	512	7z.exe
Token: 35	512	7z.exe
Token: SeSecurityPrivilege	512	7z.exe
Token: SeSecurityPrivilege	512	7z.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

9E31.execmd.exe

description	pid	process	target process
PID 3056 wrote to memory of 2444	3056		AC4D.exe
PID 3056 wrote to memory of 2444	3056		AC4D.exe
PID 3056 wrote to memory of 2444	3056		AC4D.exe
PID 3056 wrote to memory of 2880	3056		CA27.exe
PID 3056 wrote to memory of 2880	3056		CA27.exe
PID 3056 wrote to memory of 2880	3056		CA27.exe
PID 3056 wrote to memory of 752	3056		9E31.exe
PID 3056 wrote to memory of 752	3056		9E31.exe
PID 3056 wrote to memory of 752	3056		9E31.exe
PID 3056 wrote to memory of 1936	3056		explorer.exe
PID 3056 wrote to memory of 1936	3056		explorer.exe
PID 3056 wrote to memory of 1936	3056		explorer.exe
PID 3056 wrote to memory of 1936	3056		explorer.exe
PID 3056 wrote to memory of 4052	3056		explorer.exe
PID 3056 wrote to memory of 4052	3056		explorer.exe
PID 3056 wrote to memory of 4052	3056		explorer.exe
PID 752 wrote to memory of 2440	752	9E31.exe	cmd.exe
PID 752 wrote to memory of 2440	752	9E31.exe	cmd.exe
PID 2440 wrote to memory of 2760	2440	cmd.exe	mode.com
PID 2440 wrote to memory of 2760	2440	cmd.exe	mode.com
PID 2440 wrote to memory of 200	2440	cmd.exe	7z.exe
PID 2440 wrote to memory of 200	2440	cmd.exe	7z.exe
PID 2440 wrote to memory of 2296	2440	cmd.exe	7z.exe
PID 2440 wrote to memory of 2296	2440	cmd.exe	7z.exe
PID 2440 wrote to memory of 3916	2440	cmd.exe	7z.exe
PID 2440 wrote to memory of 3916	2440	cmd.exe	7z.exe
PID 2440 wrote to memory of 512	2440	cmd.exe	7z.exe
PID 2440 wrote to memory of 512	2440	cmd.exe	7z.exe
PID 2440 wrote to memory of 4092	2440	cmd.exe	attrib.exe
PID 2440 wrote to memory of 4092	2440	cmd.exe	attrib.exe
PID 2440 wrote to memory of 868	2440	cmd.exe	benbenben.exe
PID 2440 wrote to memory of 868	2440	cmd.exe	benbenben.exe
PID 2440 wrote to memory of 868	2440	cmd.exe	benbenben.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4092 attrib.exe

pid	process
4092	attrib.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\122b25706253072fe0ee6d45c913a50805f90d2c9c16a22137c7bf34a1046295.exe
"C:\Users\Admin\AppData\Local\Temp\122b25706253072fe0ee6d45c913a50805f90d2c9c16a22137c7bf34a1046295.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1660

C:\Users\Admin\AppData\Local\Temp\AC4D.exe
C:\Users\Admin\AppData\Local\Temp\AC4D.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2444

C:\Users\Admin\AppData\Local\Temp\CA27.exe
C:\Users\Admin\AppData\Local\Temp\CA27.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 480
2⤵
- Program crash
PID:2212

C:\Users\Admin\AppData\Local\Temp\9E31.exe
C:\Users\Admin\AppData\Local\Temp\9E31.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
2⤵
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\system32\mode.com
mode 65,10
3⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p283462270827100258722140325330 -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:200

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Windows\system32\attrib.exe
attrib +H "benbenben.exe"
3⤵
- Views/modifies file attributes
PID:4092

C:\Users\Admin\AppData\Local\Temp\main\benbenben.exe
"benbenben.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:868

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1936

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9E31.exe
Filesize
3.9MB

MD5
4f8a7c030aa8784e5f9726de742be5b5

SHA1
b458828a0383defa2b1c79dc043d7e7e8cc712c4

SHA256
b8885e1a627026d5ebbce5dfc321358a1d339e0b30c887ab39e4b9e972f90952

SHA512
0c74b22a46d6362fc8e5a9d919c8d32f6a2e21e9c3bdbfb0be679407a753f8995cc929956c7bd0351e6f4b8e224ea7fa4ebdc9b8d07c324608ffa2e20b4b8d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E31.exe
Filesize
3.9MB

MD5
4f8a7c030aa8784e5f9726de742be5b5

SHA1
b458828a0383defa2b1c79dc043d7e7e8cc712c4

SHA256
b8885e1a627026d5ebbce5dfc321358a1d339e0b30c887ab39e4b9e972f90952

SHA512
0c74b22a46d6362fc8e5a9d919c8d32f6a2e21e9c3bdbfb0be679407a753f8995cc929956c7bd0351e6f4b8e224ea7fa4ebdc9b8d07c324608ffa2e20b4b8d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC4D.exe
Filesize
305KB

MD5
487c55f72daf3fe41e979f3b428f9c4a

SHA1
bd1ae898cc1373df3fe60848c251dcc650f6abdf

SHA256
29a8abb96bd5a3a61f001d03503bea1ed895dd627927c5e34a7a25a2041f5363

SHA512
fbb7736a31423a165501977d1dcc469327c8621907707227ff094a6335271cd28306f678dff38bd87665a009384424d94073ff434f1014026896a0b437b25f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC4D.exe
Filesize
305KB

MD5
487c55f72daf3fe41e979f3b428f9c4a

SHA1
bd1ae898cc1373df3fe60848c251dcc650f6abdf

SHA256
29a8abb96bd5a3a61f001d03503bea1ed895dd627927c5e34a7a25a2041f5363

SHA512
fbb7736a31423a165501977d1dcc469327c8621907707227ff094a6335271cd28306f678dff38bd87665a009384424d94073ff434f1014026896a0b437b25f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA27.exe
Filesize
305KB

MD5
25ff517baa96a57613c0c19590a02dec

SHA1
64ef9d64e193f9be817b1be40b17aadcf13d8fe1

SHA256
80a9d81650131a25c4b0bc586bda9355b5f4b607cb71a5dcd7e0e6dc8dce6a30

SHA512
fcd99f53471a2f7f39d8be3d64b81aa721d3ac912912ae18ba61032730389825d664c74871c964ed49558fb7dd566f07cdf4cac0a2e0aceb9069b2f633419399

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA27.exe
Filesize
305KB

MD5
25ff517baa96a57613c0c19590a02dec

SHA1
64ef9d64e193f9be817b1be40b17aadcf13d8fe1

SHA256
80a9d81650131a25c4b0bc586bda9355b5f4b607cb71a5dcd7e0e6dc8dce6a30

SHA512
fcd99f53471a2f7f39d8be3d64b81aa721d3ac912912ae18ba61032730389825d664c74871c964ed49558fb7dd566f07cdf4cac0a2e0aceb9069b2f633419399

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\benbenben.exe
Filesize
1.5MB

MD5
4c76c4bb8969621583baa58bf9c625f4

SHA1
46fcb2f437241d330144ae3b9ec2980f9b12c209

SHA256
e78a454a7fcf939c27d8beec97b8b77f851df342e2682143c9d2dc66fcab4340

SHA512
5c52696822d339b0c9f53de3db0fabdf8c7158b6d00b42c59f78694b282243cf6f92066203c60cfcbf363b3684eba3ff10bdcd851557c05a46bfa38d0c856e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
Filesize
2.0MB

MD5
8f6c27385ab490689ddcc61866824ce8

SHA1
5b1874737e5cd1b1c52b7b8e10714d2c6e87d96d

SHA256
d47d174fa9feac7cd178bd9a62d0f9183651c043f6f3c8d15bb7197fc1fc042f

SHA512
046371e4c93c89ea54fceacd9b5f69e842f84debc00e668509d4b853e53621395cb4ac713093ff81368f9ad717f4621565a906a999d8dbfa3c0fad0278909c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\benbenben.exe
Filesize
1.5MB

MD5
4c76c4bb8969621583baa58bf9c625f4

SHA1
46fcb2f437241d330144ae3b9ec2980f9b12c209

SHA256
e78a454a7fcf939c27d8beec97b8b77f851df342e2682143c9d2dc66fcab4340

SHA512
5c52696822d339b0c9f53de3db0fabdf8c7158b6d00b42c59f78694b282243cf6f92066203c60cfcbf363b3684eba3ff10bdcd851557c05a46bfa38d0c856e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
Filesize
1.5MB

MD5
a73635e84d7ab318619454487514f446

SHA1
b492af29c93240c3479e69907f1ed74dec625ba6

SHA256
ed19a2d5f65d95969d697f205d3fa91688c6daac6274ac7e4847789c9b3a4061

SHA512
e8a0b92b3da67a60db0a9c65d7eb0bcd88d97ab1e72510eb602c1e0385b776c7834d08ff8618b805f805e457b21265884d71bdf9fafe6ca3da583ccd162b9f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
Filesize
1.5MB

MD5
620139174d311818701c05cbc8968c59

SHA1
7a427bf6653da862963e42c4f4a5a1ebd08ec061

SHA256
df5e8ab12f09d0dc41e2a7c7e5043d6477a7dc6d9a4bbae0943bbbbcfbdc6b2a

SHA512
21ebcfde72f38cc7d5feafe9168cb37e8b62c6fbf6a8c046fcba9cc9b6f079f5d4cc7dbf2b9d42e48fc4ff2909439a8cbff22c872b8453a944d0ad552792c37e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
Filesize
3.0MB

MD5
1a18731f1f1b9e3746a31b9bf7d6b901

SHA1
48cd2531251dff411b084dbb88c7fe6a73c437f8

SHA256
149b8af8eb2eba7d584bbc72083fd26b0cbc678f75739fce532bd80cc6548cd7

SHA512
4d298d564e4791f9404edafacd4d8ff2b70fb93152ca4e33a48fdd07f25c5d3b0bf616b4fe1cceb0a911093fb0ca47052a3529f115825729641b3dec1c82fafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin
Filesize
3.0MB

MD5
03bd09b1b43203b5847bd65a390c7fe9

SHA1
15599a412e9d6934eaf35da04488a997ce88638f

SHA256
11317bad4a6346566fec9f2cefcf1d0e97a074be1f85d2f25bebf4bbc532bd9a

SHA512
058a97e75feb690afc35939017017b6d86725ab901c0a52473e6bb201ac38bbc20e052762f49567ba7f6cd4ea23c0dc94f42aaaae7b80644438f3e4ab0ed3118

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat
Filesize
476B

MD5
21b6341d2b4fc3c54bca293b71545d0c

SHA1
ba66216cd3552de6b3ad254f65ccb834188347b0

SHA256
432347ce4e632e70cc0cb988ed72c43a17b81f8955a3905e43a93708029a0daf

SHA512
04842ab2240d782fe7f3336f4776576f67f3a30ae522713b2bfb8e5c86ca30a2706f2c73ede5647495b8cde06ad36b6499bf8bd9c8908e794fdbdb8bd0d534d1

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
memory/200-358-0x0000000000000000-mapping.dmp

Download
memory/512-370-0x0000000000000000-mapping.dmp

Download
memory/752-234-0x0000000000000000-mapping.dmp

Download
memory/868-442-0x0000000005B60000-0x0000000005BAB000-memory.dmp

Filesize
300KB

Download
memory/868-377-0x0000000000000000-mapping.dmp

Download
memory/868-420-0x0000000000890000-0x0000000000DB2000-memory.dmp

Filesize
5.1MB

Download
memory/868-435-0x0000000006070000-0x0000000006676000-memory.dmp

Filesize
6.0MB

Download
memory/868-436-0x0000000005A80000-0x0000000005A92000-memory.dmp

Filesize
72KB

Download
memory/868-437-0x0000000005BB0000-0x0000000005CBA000-memory.dmp

Filesize
1.0MB

Download
memory/868-440-0x0000000005AE0000-0x0000000005B1E000-memory.dmp

Filesize
248KB

Download
memory/1660-135-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-134-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-153-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1660-151-0x00000000006B1000-0x00000000006C1000-memory.dmp

Filesize
64KB

Download
memory/1660-147-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-150-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-149-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-148-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-146-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-145-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-144-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-143-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-142-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-141-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-140-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-139-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-138-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-137-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-136-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-152-0x00000000004F0000-0x000000000063A000-memory.dmp

Filesize
1.3MB

Download
memory/1660-133-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-132-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-131-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-129-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-130-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-119-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-128-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-127-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-126-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-125-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-124-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-123-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-118-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-120-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-122-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1660-121-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/1936-253-0x0000000000000000-mapping.dmp

Download
memory/2296-362-0x0000000000000000-mapping.dmp

Download
memory/2440-354-0x0000000000000000-mapping.dmp

Download
memory/2444-176-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-155-0x0000000000000000-mapping.dmp

Download
memory/2444-175-0x00000000007E1000-0x00000000007F2000-memory.dmp

Filesize
68KB

Download
memory/2444-190-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-188-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-157-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-158-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-159-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-160-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-187-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-186-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-185-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-184-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-161-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-183-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-182-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-162-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-174-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-180-0x0000000000490000-0x00000000005DA000-memory.dmp

Filesize
1.3MB

Download
memory/2444-181-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-179-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-177-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-189-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-191-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-178-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2444-173-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-163-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-172-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-171-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-170-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-169-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-168-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-167-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-166-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2444-165-0x0000000077B50000-0x0000000077CDE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-356-0x0000000000000000-mapping.dmp

Download
memory/2880-232-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2880-231-0x0000000000490000-0x000000000053E000-memory.dmp

Filesize
696KB

Download
memory/2880-230-0x00000000006A1000-0x00000000006B2000-memory.dmp

Filesize
68KB

Download
memory/2880-194-0x0000000000000000-mapping.dmp

Download
memory/3056-233-0x0000000004BA0000-0x0000000004BB6000-memory.dmp

Filesize
88KB

Download
memory/3056-154-0x0000000000B70000-0x0000000000B86000-memory.dmp

Filesize
88KB

Download
memory/3916-366-0x0000000000000000-mapping.dmp

Download
memory/4052-299-0x0000000000000000-mapping.dmp

Download
memory/4092-376-0x0000000000000000-mapping.dmp

Download