Analysis Overview
SHA256
bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e
Threat Level: Known bad
The file bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
Dcrat family
DCRat payload
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 03:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 03:47
Reported
2024-10-31 03:50
Platform
win7-20240903-en
Max time kernel
121s
Max time network
148s
Command Line
Signatures
DcRat
Dcrat family
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Internet Explorer\fr-FR\taskhost.exe | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\fr-FR\taskhost.exe | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\fr-FR\b75386f1303e64 | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\7a0fd90576e088 | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\wininit.exe | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\56085415360792 | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe
"C:\Users\Admin\AppData\Local\Temp\bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p237578392143213652313078912 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "Installer.exe"
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
"Installer.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3l1CWBECHl.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 31.177.108.176:80 | 31.177.108.176 | tcp |
| RU | 31.177.108.176:80 | 31.177.108.176 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 888d8edcc3b71e613ea61ea10c012783 |
| SHA1 | a5985a3a80b00287e7987262c5d452c4c5e92cfe |
| SHA256 | 4a0ebfb38b6023319aee0249a2616a9153db091dcb8abb5189c165c0b3f47c3e |
| SHA512 | 5d49219c24df5e88d66e704a9315e2015787a68f085bb6f2cf548abb96137e329ef5d551e9b2417df04392102824e0ac0e024809ed6088d8e429557a43e2b554 |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | 3ca63b69b8fecf3105fe03db79fe485e |
| SHA1 | 299b02bc2ea3534300304afdc2fcdede1c50aaae |
| SHA256 | 143aedd2b9be4342531a716d6c06e57ed02cd3e6fd0e61a5f0b810754b3d8931 |
| SHA512 | 185f0c807b895da4a46e06f540fbca3d93a38d42d7c5667925ca012cd67852fff5d2de0aa8eb75a29ac8f069fd7d6d7349ac3d81174c2d61495eac99985c5024 |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | 1b7169f7136811025acefcbd57c4c3aa |
| SHA1 | 6b0ce940277dc6573248ee817a17101d0c8e8d82 |
| SHA256 | b02e6aa68ee324b379a371f1f28960fabad6a7d3aef1bb7ca9e47e96f86ee55e |
| SHA512 | aed911a939ea65f2700ecb9493cb53ca2966538ff343c0145961ba5d343f1a94e136d70bac0b25cc21e6c22d51ecd6edd7177c96e751c417c317c3f967488b0b |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | 45b44488f58e268aee145714065d01b1 |
| SHA1 | 57d788efaa8e83d909a2bfd54fe735925818c574 |
| SHA256 | fae5dc0c1e2965b4e1f156e27ebfae84a5a392a9c1d238c023f4635c520815e0 |
| SHA512 | 54c2144629f75d4e1d563270cc206ec568bf844ff66634626153797c1ea47224928301defc13823b2d79de861302e2b69b753e88b99b7c852fbb85f736cdbc9a |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | 6a9bd1c18b86241e8752bd9d1a9fcdc5 |
| SHA1 | 77cc56608cc38c8e1295299af82eb661ae8b41bf |
| SHA256 | 0285293c2c4829281fdc81ce4e1755425ed884364883008b608dca0d0421914b |
| SHA512 | a1f2ed6c9e63ddfc8897b494593f8188a91b217e92509caca8f92f47184b1212bc1ec5e8885aa8f4e8076e081ff85278107101b45d476fbc3d12494082735807 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | 99941e921b39fbdbbad43c87f518488a |
| SHA1 | 6413ddd612ba05a330761c6d0ecec67e6f08b557 |
| SHA256 | d521a8feb747997745848003e56981246828cc02f2534c7620442886c38d30a3 |
| SHA512 | 502b30672bc20713e3a0e8d28c1d649b24301f067367fd41e086deb55daf90da86665771ca0fedb07ed637deb10f789717c3377261ec96d6f6d4c4d88ce504a6 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | 55a752087f41b97f460d16cd084c1e5d |
| SHA1 | 9b1379a8d2fba0322e4ca6274b609d032d703efc |
| SHA256 | 47b472974b1d440f6754b09fb0f053d11deb10734cb60a69d2c7bcbdb9ddd4f6 |
| SHA512 | 22d00f24358854bb79dfe244e9033e14969fe1181a9adff9f4be56864af401da821b2087ef0e9c03419f097d4d21451b290bc5243a015f95844094c6bcb913e2 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe
| MD5 | acdd5f8a230ebcf456977ac3d1ea6eca |
| SHA1 | e0a985b5c9e99d3b1e1141938afeecdc02811946 |
| SHA256 | 45fc98c0fe74f360e57e80e42142c4d5745652c198b298ca7f8ecf4dba560c21 |
| SHA512 | 5372fc4ed4ff8cb54f2139e552c7710f2ad8b4f59bc5743d02a1830a98f2c45553bf807545bf6c93952ae786bc1bd9eb480b98ddf5c924dcc0f5aef9abee2f3d |
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
| MD5 | 7e703968b4e13722892cf227f37b392d |
| SHA1 | 4eba1cbed7b31cdb2ffc9ee7c200bd977af068b0 |
| SHA256 | 965d0ba59eb90d3b89212ab5d7d02ecd5712feb91eee7bf9e82303d872341953 |
| SHA512 | 74099ed995ce1b92a95243cebfefbcb32e660468032d12c65437e412ebfb2d23efdf6a6ea7158e06e2574775258862307143efd9ff662b1587e97383f87e299b |
memory/2600-66-0x0000000000130000-0x00000000001FA000-memory.dmp
memory/2600-68-0x0000000000320000-0x000000000032E000-memory.dmp
memory/2600-70-0x0000000000690000-0x00000000006AC000-memory.dmp
memory/2600-72-0x00000000006B0000-0x00000000006C8000-memory.dmp
memory/2600-74-0x0000000000350000-0x000000000035E000-memory.dmp
memory/2600-76-0x00000000003F0000-0x00000000003FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3l1CWBECHl.bat
| MD5 | 51d34f5e1078729d796d9cea0d575e93 |
| SHA1 | c9f1e788da937bc28561c433762f20f08004c046 |
| SHA256 | 27031add988270fec560d4e8c2b2957f2817bb70d268b0074e1f9bd541b70124 |
| SHA512 | 904cd4d29b29b5641cc675e44dfac80c7c40cdc1936dbad2b202f4bc47858b0193b2b844ce2c29678067251db3081cdb67943c53c49d7bf979528bad40c470e0 |
memory/2000-94-0x0000000000390000-0x000000000045A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 03:47
Reported
2024-10-31 03:50
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
DcRat
Dcrat family
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| N/A | N/A | C:\Windows\Downloaded Program Files\RuntimeBroker.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\TableTextService\en-US\088424020bedd6 | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| File created | C:\Program Files\Windows Mail\bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| File created | C:\Program Files\Windows Mail\e1ddd36cfe04f1 | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\services.exe | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\c5b4cb5e9653cc | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Downloaded Program Files\9e8d7a4ca61bd9 | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| File created | C:\Windows\SystemResources\Windows.UI.Cred\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| File created | C:\Windows\Downloaded Program Files\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe
"C:\Users\Admin\AppData\Local\Temp\bca73c47a374e5afe3a2ffbb42c1692fd096ebfe0af45ad5c5e12a9e37cd0e2e.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p237578392143213652313078912 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "Installer.exe"
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
"Installer.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aLLFk8KoU9.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Downloaded Program Files\RuntimeBroker.exe
"C:\Windows\Downloaded Program Files\RuntimeBroker.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 31.177.108.176:80 | 31.177.108.176 | tcp |
| RU | 31.177.108.176:80 | 31.177.108.176 | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.108.177.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| RU | 31.177.108.176:80 | 31.177.108.176 | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 888d8edcc3b71e613ea61ea10c012783 |
| SHA1 | a5985a3a80b00287e7987262c5d452c4c5e92cfe |
| SHA256 | 4a0ebfb38b6023319aee0249a2616a9153db091dcb8abb5189c165c0b3f47c3e |
| SHA512 | 5d49219c24df5e88d66e704a9315e2015787a68f085bb6f2cf548abb96137e329ef5d551e9b2417df04392102824e0ac0e024809ed6088d8e429557a43e2b554 |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | 3ca63b69b8fecf3105fe03db79fe485e |
| SHA1 | 299b02bc2ea3534300304afdc2fcdede1c50aaae |
| SHA256 | 143aedd2b9be4342531a716d6c06e57ed02cd3e6fd0e61a5f0b810754b3d8931 |
| SHA512 | 185f0c807b895da4a46e06f540fbca3d93a38d42d7c5667925ca012cd67852fff5d2de0aa8eb75a29ac8f069fd7d6d7349ac3d81174c2d61495eac99985c5024 |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | 1b7169f7136811025acefcbd57c4c3aa |
| SHA1 | 6b0ce940277dc6573248ee817a17101d0c8e8d82 |
| SHA256 | b02e6aa68ee324b379a371f1f28960fabad6a7d3aef1bb7ca9e47e96f86ee55e |
| SHA512 | aed911a939ea65f2700ecb9493cb53ca2966538ff343c0145961ba5d343f1a94e136d70bac0b25cc21e6c22d51ecd6edd7177c96e751c417c317c3f967488b0b |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | 6a9bd1c18b86241e8752bd9d1a9fcdc5 |
| SHA1 | 77cc56608cc38c8e1295299af82eb661ae8b41bf |
| SHA256 | 0285293c2c4829281fdc81ce4e1755425ed884364883008b608dca0d0421914b |
| SHA512 | a1f2ed6c9e63ddfc8897b494593f8188a91b217e92509caca8f92f47184b1212bc1ec5e8885aa8f4e8076e081ff85278107101b45d476fbc3d12494082735807 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | 45b44488f58e268aee145714065d01b1 |
| SHA1 | 57d788efaa8e83d909a2bfd54fe735925818c574 |
| SHA256 | fae5dc0c1e2965b4e1f156e27ebfae84a5a392a9c1d238c023f4635c520815e0 |
| SHA512 | 54c2144629f75d4e1d563270cc206ec568bf844ff66634626153797c1ea47224928301defc13823b2d79de861302e2b69b753e88b99b7c852fbb85f736cdbc9a |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | 99941e921b39fbdbbad43c87f518488a |
| SHA1 | 6413ddd612ba05a330761c6d0ecec67e6f08b557 |
| SHA256 | d521a8feb747997745848003e56981246828cc02f2534c7620442886c38d30a3 |
| SHA512 | 502b30672bc20713e3a0e8d28c1d649b24301f067367fd41e086deb55daf90da86665771ca0fedb07ed637deb10f789717c3377261ec96d6f6d4c4d88ce504a6 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | 55a752087f41b97f460d16cd084c1e5d |
| SHA1 | 9b1379a8d2fba0322e4ca6274b609d032d703efc |
| SHA256 | 47b472974b1d440f6754b09fb0f053d11deb10734cb60a69d2c7bcbdb9ddd4f6 |
| SHA512 | 22d00f24358854bb79dfe244e9033e14969fe1181a9adff9f4be56864af401da821b2087ef0e9c03419f097d4d21451b290bc5243a015f95844094c6bcb913e2 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
| MD5 | 7e703968b4e13722892cf227f37b392d |
| SHA1 | 4eba1cbed7b31cdb2ffc9ee7c200bd977af068b0 |
| SHA256 | 965d0ba59eb90d3b89212ab5d7d02ecd5712feb91eee7bf9e82303d872341953 |
| SHA512 | 74099ed995ce1b92a95243cebfefbcb32e660468032d12c65437e412ebfb2d23efdf6a6ea7158e06e2574775258862307143efd9ff662b1587e97383f87e299b |
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
| MD5 | acdd5f8a230ebcf456977ac3d1ea6eca |
| SHA1 | e0a985b5c9e99d3b1e1141938afeecdc02811946 |
| SHA256 | 45fc98c0fe74f360e57e80e42142c4d5745652c198b298ca7f8ecf4dba560c21 |
| SHA512 | 5372fc4ed4ff8cb54f2139e552c7710f2ad8b4f59bc5743d02a1830a98f2c45553bf807545bf6c93952ae786bc1bd9eb480b98ddf5c924dcc0f5aef9abee2f3d |
memory/1804-55-0x0000000000A90000-0x0000000000B5A000-memory.dmp
memory/1804-57-0x0000000002BC0000-0x0000000002BCE000-memory.dmp
memory/1804-59-0x0000000002C00000-0x0000000002C1C000-memory.dmp
memory/1804-60-0x000000001C230000-0x000000001C280000-memory.dmp
memory/1804-62-0x0000000002C20000-0x0000000002C38000-memory.dmp
memory/1804-64-0x0000000002BD0000-0x0000000002BDE000-memory.dmp
memory/1804-66-0x0000000002BE0000-0x0000000002BEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aLLFk8KoU9.bat
| MD5 | 21307b7eedcb427252781252a1bb51d5 |
| SHA1 | efd47cce8ec1382cbeb4b1e67fe7ced032908168 |
| SHA256 | 8b1eb13cfe06362daf5de096b51a8eb518d4286e98c9094db12e1be635308593 |
| SHA512 | 20f0b6d7b6c214414673c3b6b8f9b7f5da4b2f407a5d14226ab713ee1efc6d7070db2b97aa2622969eca28715d31d836051e7026cfb5019ebf19c0184c661c5e |