Analysis Overview
SHA256
31faa0fee4913ec40074988c164a361d45bbc434ff9345328fc126d3e5ede84b
Threat Level: Known bad
The file a8048bd6fc7d336d7f6e0fd6800da673.bin was found to be: Known bad.
Malicious Activity Summary
Detect Poverty Stealer Payload
Poverty Stealer
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-06 02:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-06 02:01
Reported
2024-03-06 02:04
Platform
win7-20240220-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
Detect Poverty Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Poverty Stealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1564 set thread context of 2396 | N/A | C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exe
"C:\Users\Admin\AppData\Local\Temp\d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p125762329330388294023250819845 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "nmYIeCI7gcMH.exe"
C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe
"nmYIeCI7gcMH.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | joxi.net | udp |
| US | 172.67.162.70:80 | joxi.net | tcp |
| US | 172.67.162.70:443 | joxi.net | tcp |
| DE | 146.70.169.164:2227 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 12b875e85a885c81bc04161e9df9151a |
| SHA1 | 7d9e32a575e487611abb182b4d89b1ab4f4e7a06 |
| SHA256 | 97e80e083ba83a031bb03097cd81d86708165cd7eb1c070782e6a7234de784a5 |
| SHA512 | 3ba38a4024287bcaeee208a1c0158fae73a86d5581cf566309985bbd204e810eb5fd099a1816a9326c9e25bb08a2da20f2a4884978eb4e4ed8a3762c1057d0ca |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | afaebf70e6daf7bf2e07cd11f93ee4a1 |
| SHA1 | 4e8b08b3e50f860955bd00d16fc1653c07b7c608 |
| SHA256 | 4a9d76fb9d77efaf81616e750b928ba3955599acafb2c0fec0d7ce412db0f47b |
| SHA512 | 4db3a63f03f8816b85fdb905e2a2f08967f9f3735206f08f2cae8b8cd561e8563d2f92c188d32b94fdb6d472e07c5f41f54e26673f8a81449454225220ba397f |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | 9e57c6bb6dfb456cd9907844b7afafbd |
| SHA1 | daee76439ed4cd77192dc5c2d52b187f18e5ba99 |
| SHA256 | 729dbb0bd855dc1c1cf59366f49e29cb2b6e0d1279270924d2b131d7df749eab |
| SHA512 | 3a99dae0a7c4ac47c5143dd6ada9a485cf115d3d9b172c3ba6d0847d6848e41defccd3a4eaf1b44c3ae46820c2164127b4e1ceaa5e07a8028e9b38f823a5960b |
\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 818538f3279c7f21983b3015f69c4d0e |
| SHA1 | 9c27bbd5d184e8e2695a308376d19a1359b1d5e7 |
| SHA256 | 9dbc148f88a206c1b07f4969d89a502834956d7b36ce3262ccb04fd6c86921a0 |
| SHA512 | 6facd64e99e91e85cc9d2ad7085d909237f618a60cb432ab54383b10bd7980c2bc01d960af670f7b785ae3c290589e14db593980189456a4bd29c8d55de7579b |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | 4ab6b1ed8f26df37c531a80147982511 |
| SHA1 | 25d59710197c30eee836096dfcce139ba84f978a |
| SHA256 | 33f73488015443cc05fa02d1c0723921502de5cac3206cf9fc433472a2afb162 |
| SHA512 | a582e4cd93baf45b48aad086ffc5edab4ec899cbd029e9e740e93cf34a2aff492f14c92ed2efc0339fc4eed979311600007fca3075abda28232d9d351dd49e24 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | 210ee7f34c0ff268d33d598a49eb889a |
| SHA1 | 876dea438f3f365513159630a12a2192fecd8b7f |
| SHA256 | 9d8ee7edf36676633d624774cb194a45ef8ae286cb5e9591d46c20be57a9282f |
| SHA512 | 383bb66f996b858d4ef23eed2264c4f890d47aca7b3da88587e3bb6454183f8d35e44411b08eecafe3fbb0638610cd872d1d00402dd8ff0b660102a44b53bcb1 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | 763cb011f068f184a672e254d3ce3c39 |
| SHA1 | 59eb148e6ad321cac5396e6a58c1528f7932befb |
| SHA256 | d25782f4a9573c40747458b6916e9332b34a349b3011ec85dd5d11a583a87105 |
| SHA512 | 530b8c0ad90b53f38cd56ffaf3766f33167c9922e55f8485ca87019275730c94dd6a84a1d9578163c45bae2743cf6981041f9ccc97ceb822f8d607f94a0c1d28 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | 5f79b89dbaf23387caa818b0da7b8ea2 |
| SHA1 | 3c38d94819331fd551c07048841cfe6ecbf29e18 |
| SHA256 | 7abc58d9dd3dee48f88629c8dcaf12e72a337f8bf1dbce59d464ab6ed698b726 |
| SHA512 | a6381f3b0d3184ab098e9a40ca65dd1cec76cb7e0cfe13a5c2d188e4c8e6d077286c70a366ad6ffc7e7f68faa6240a730b7034fcaa00d1c1f0922e42c1edb8fc |
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
| MD5 | 47e8ed572da00474326b4cee8f85b005 |
| SHA1 | 94bceabdc880c41d73d6c984a9d61c31dd29ce91 |
| SHA256 | abd52eb132c8c23669233a656f036a0e07692efd398894b724b61b66a75564af |
| SHA512 | 31da04b57f0ef1b3363a3fa4855ca576d9159d374de0d2d9defb5524e67fed740441dcc2245a246daecab6260a419c02a32770ee9be53a2ddbede9dd4848d624 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\nmYIeCI7gcMH.exe
| MD5 | 53c6cf5bf9ce4922b3dc9bf9cc2374a2 |
| SHA1 | b9a0d229a47fadaaa0898d32dce3aac279ac8569 |
| SHA256 | 2bb1a0a95249e3bcca1fdfc740bc91df10dc9c8cd834707a0b5a31883eb6867e |
| SHA512 | d323cfdfc3db5c5ce70ba572c0c657def11c3b36703a029977f5c5ddfdb278dfd1eea8950686d7a566dcd550aa0c854ceb035e6e67fcb377a8fc50dc4e0cd64c |
memory/1564-83-0x0000000000130000-0x0000000000230000-memory.dmp
memory/2396-84-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2396-86-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2396-91-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2396-94-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2396-95-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2396-96-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2396-99-0x0000000000100000-0x0000000000101000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-06 02:01
Reported
2024-03-06 02:04
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Detect Poverty Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Poverty Stealer
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4008 set thread context of 4848 | N/A | C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exe
"C:\Users\Admin\AppData\Local\Temp\d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p125762329330388294023250819845 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "nmYIeCI7gcMH.exe"
C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe
"nmYIeCI7gcMH.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | joxi.net | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 104.21.73.118:80 | joxi.net | tcp |
| US | 104.21.73.118:443 | joxi.net | tcp |
| US | 8.8.8.8:53 | 118.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| DE | 146.70.169.164:2227 | tcp | |
| US | 8.8.8.8:53 | 164.169.70.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 12b875e85a885c81bc04161e9df9151a |
| SHA1 | 7d9e32a575e487611abb182b4d89b1ab4f4e7a06 |
| SHA256 | 97e80e083ba83a031bb03097cd81d86708165cd7eb1c070782e6a7234de784a5 |
| SHA512 | 3ba38a4024287bcaeee208a1c0158fae73a86d5581cf566309985bbd204e810eb5fd099a1816a9326c9e25bb08a2da20f2a4884978eb4e4ed8a3762c1057d0ca |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | afaebf70e6daf7bf2e07cd11f93ee4a1 |
| SHA1 | 4e8b08b3e50f860955bd00d16fc1653c07b7c608 |
| SHA256 | 4a9d76fb9d77efaf81616e750b928ba3955599acafb2c0fec0d7ce412db0f47b |
| SHA512 | 4db3a63f03f8816b85fdb905e2a2f08967f9f3735206f08f2cae8b8cd561e8563d2f92c188d32b94fdb6d472e07c5f41f54e26673f8a81449454225220ba397f |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | 9e57c6bb6dfb456cd9907844b7afafbd |
| SHA1 | daee76439ed4cd77192dc5c2d52b187f18e5ba99 |
| SHA256 | 729dbb0bd855dc1c1cf59366f49e29cb2b6e0d1279270924d2b131d7df749eab |
| SHA512 | 3a99dae0a7c4ac47c5143dd6ada9a485cf115d3d9b172c3ba6d0847d6848e41defccd3a4eaf1b44c3ae46820c2164127b4e1ceaa5e07a8028e9b38f823a5960b |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | 210ee7f34c0ff268d33d598a49eb889a |
| SHA1 | 876dea438f3f365513159630a12a2192fecd8b7f |
| SHA256 | 9d8ee7edf36676633d624774cb194a45ef8ae286cb5e9591d46c20be57a9282f |
| SHA512 | 383bb66f996b858d4ef23eed2264c4f890d47aca7b3da88587e3bb6454183f8d35e44411b08eecafe3fbb0638610cd872d1d00402dd8ff0b660102a44b53bcb1 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
| MD5 | 47e8ed572da00474326b4cee8f85b005 |
| SHA1 | 94bceabdc880c41d73d6c984a9d61c31dd29ce91 |
| SHA256 | abd52eb132c8c23669233a656f036a0e07692efd398894b724b61b66a75564af |
| SHA512 | 31da04b57f0ef1b3363a3fa4855ca576d9159d374de0d2d9defb5524e67fed740441dcc2245a246daecab6260a419c02a32770ee9be53a2ddbede9dd4848d624 |
C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe
| MD5 | 53c6cf5bf9ce4922b3dc9bf9cc2374a2 |
| SHA1 | b9a0d229a47fadaaa0898d32dce3aac279ac8569 |
| SHA256 | 2bb1a0a95249e3bcca1fdfc740bc91df10dc9c8cd834707a0b5a31883eb6867e |
| SHA512 | d323cfdfc3db5c5ce70ba572c0c657def11c3b36703a029977f5c5ddfdb278dfd1eea8950686d7a566dcd550aa0c854ceb035e6e67fcb377a8fc50dc4e0cd64c |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | 5f79b89dbaf23387caa818b0da7b8ea2 |
| SHA1 | 3c38d94819331fd551c07048841cfe6ecbf29e18 |
| SHA256 | 7abc58d9dd3dee48f88629c8dcaf12e72a337f8bf1dbce59d464ab6ed698b726 |
| SHA512 | a6381f3b0d3184ab098e9a40ca65dd1cec76cb7e0cfe13a5c2d188e4c8e6d077286c70a366ad6ffc7e7f68faa6240a730b7034fcaa00d1c1f0922e42c1edb8fc |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | 763cb011f068f184a672e254d3ce3c39 |
| SHA1 | 59eb148e6ad321cac5396e6a58c1528f7932befb |
| SHA256 | d25782f4a9573c40747458b6916e9332b34a349b3011ec85dd5d11a583a87105 |
| SHA512 | 530b8c0ad90b53f38cd56ffaf3766f33167c9922e55f8485ca87019275730c94dd6a84a1d9578163c45bae2743cf6981041f9ccc97ceb822f8d607f94a0c1d28 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | 4ab6b1ed8f26df37c531a80147982511 |
| SHA1 | 25d59710197c30eee836096dfcce139ba84f978a |
| SHA256 | 33f73488015443cc05fa02d1c0723921502de5cac3206cf9fc433472a2afb162 |
| SHA512 | a582e4cd93baf45b48aad086ffc5edab4ec899cbd029e9e740e93cf34a2aff492f14c92ed2efc0339fc4eed979311600007fca3075abda28232d9d351dd49e24 |
memory/4008-64-0x0000000000270000-0x0000000000370000-memory.dmp
memory/4848-63-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4848-70-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4848-72-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4848-71-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4848-75-0x0000000002440000-0x0000000002441000-memory.dmp