Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-12-2024 16:44

General

  • Target

    ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe

  • Size

    2.8MB

  • MD5

    bf03b982421c50b3c232a902eed53e31

  • SHA1

    5f1bdec3bf5ef51e982ebd35ef62d4ab461891bd

  • SHA256

    ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249

  • SHA512

    dd77759327f5bac2cbb935de95e4d9c57931a548715fb7de041d8367b4e98a0ef2476577d399ef2c84a9b2f26516abf579575949bfd7917bd83ce2f9f91fdfd1

  • SSDEEP

    49152:nvzSPYPGhM06DbXnnIMgFsXK5vQxw6oO:n7SPYPG206DcMCsa5vQKPO

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

Extracted

Family

cryptbot

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

  • Cryptbot family
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
  • XMRig Miner payload 13 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 20 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 3 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2712
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\System32\svchost.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1120
    • C:\Users\Admin\AppData\Local\Temp\ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe
      "C:\Users\Admin\AppData\Local\Temp\ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe"
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4720
      • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Users\Admin\AppData\Local\Temp\1016686001\8ff44bb8e2.exe
          "C:\Users\Admin\AppData\Local\Temp\1016686001\8ff44bb8e2.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2200
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:5008
            • C:\Windows\system32\mode.com
              mode 65,10
              5⤵
                PID:1896
              • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                7z.exe e file.zip -p24291711423417250691697322505 -oextracted
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of AdjustPrivilegeToken
                PID:3532
              • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                7z.exe e extracted/file_7.zip -oextracted
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of AdjustPrivilegeToken
                PID:844
              • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                7z.exe e extracted/file_6.zip -oextracted
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of AdjustPrivilegeToken
                PID:4128
              • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                7z.exe e extracted/file_5.zip -oextracted
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of AdjustPrivilegeToken
                PID:1912
              • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                7z.exe e extracted/file_4.zip -oextracted
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of AdjustPrivilegeToken
                PID:1312
              • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                7z.exe e extracted/file_3.zip -oextracted
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of AdjustPrivilegeToken
                PID:2636
              • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                7z.exe e extracted/file_2.zip -oextracted
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of AdjustPrivilegeToken
                PID:2424
              • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                7z.exe e extracted/file_1.zip -oextracted
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of AdjustPrivilegeToken
                PID:3464
              • C:\Windows\system32\attrib.exe
                attrib +H "in.exe"
                5⤵
                • Views/modifies file attributes
                PID:4736
              • C:\Users\Admin\AppData\Local\Temp\main\in.exe
                "in.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:4900
                • C:\Windows\SYSTEM32\attrib.exe
                  attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                  6⤵
                  • Views/modifies file attributes
                  PID:5092
                • C:\Windows\SYSTEM32\attrib.exe
                  attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                  6⤵
                  • Views/modifies file attributes
                  PID:1784
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
                  6⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:1104
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell ping 127.0.0.1; del in.exe
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1680
                  • C:\Windows\system32\PING.EXE
                    "C:\Windows\system32\PING.EXE" 127.0.0.1
                    7⤵
                    • System Network Configuration Discovery: Internet Connection Discovery
                    • Runs ping.exe
                    PID:4100
          • C:\Users\Admin\AppData\Local\Temp\1016687001\68a321b9be.exe
            "C:\Users\Admin\AppData\Local\Temp\1016687001\68a321b9be.exe"
            3⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4732
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 536
              4⤵
              • Program crash
              PID:2468
          • C:\Users\Admin\AppData\Local\Temp\1016688001\43cf0fb499.exe
            "C:\Users\Admin\AppData\Local\Temp\1016688001\43cf0fb499.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4008
            • C:\Users\Admin\AppData\Local\Temp\1016688001\43cf0fb499.exe
              "C:\Users\Admin\AppData\Local\Temp\1016688001\43cf0fb499.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2108
          • C:\Users\Admin\AppData\Local\Temp\1016689001\e9af4c7f3b.exe
            "C:\Users\Admin\AppData\Local\Temp\1016689001\e9af4c7f3b.exe"
            3⤵
            • Enumerates VirtualBox registry keys
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:1192
          • C:\Users\Admin\AppData\Local\Temp\1016690001\475ff6d638.exe
            "C:\Users\Admin\AppData\Local\Temp\1016690001\475ff6d638.exe"
            3⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:3744
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4732 -ip 4732
        1⤵
          PID:3560
        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
          C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
          1⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:4648
        • C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
          C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          PID:3556
          • C:\Windows\explorer.exe
            explorer.exe
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3064
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
            2⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4072
            • C:\Windows\system32\PING.EXE
              "C:\Windows\system32\PING.EXE" 127.1.10.1
              3⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3136
        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
          C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
          1⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:4700
        • C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
          C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          PID:2348
          • C:\Windows\explorer.exe
            explorer.exe
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3976
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
            2⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4644
            • C:\Windows\system32\PING.EXE
              "C:\Windows\system32\PING.EXE" 127.1.10.1
              3⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3888

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          6cf293cb4d80be23433eecf74ddb5503

          SHA1

          24fe4752df102c2ef492954d6b046cb5512ad408

          SHA256

          b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

          SHA512

          0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          276798eeb29a49dc6e199768bc9c2e71

          SHA1

          5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

          SHA256

          cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

          SHA512

          0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          828f78461e16d0b91a35d0944d51fba9

          SHA1

          0bb5286101d225afeeb6964a5c779945b7c8cc87

          SHA256

          f8dc8f369035751dcc251e25aa8ca9a0e0e49f505a4da1d2414698d99366614c

          SHA512

          dccd418d1dd1434382040732d1f0677b55bb3af4a763ad8db2821aa8e19f408eab71f89fa522eec66a47cb3feb4b86d5feedda4a3b3401a52b66e5db0543bc23

        • C:\Users\Admin\AppData\Local\Temp\1016686001\8ff44bb8e2.exe

          Filesize

          4.2MB

          MD5

          3a425626cbd40345f5b8dddd6b2b9efa

          SHA1

          7b50e108e293e54c15dce816552356f424eea97a

          SHA256

          ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1

          SHA512

          a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

        • C:\Users\Admin\AppData\Local\Temp\1016687001\68a321b9be.exe

          Filesize

          1.9MB

          MD5

          3706a6571036ab9a574a21d776a657b7

          SHA1

          2ac51df5469be87a03bd17d86759054feb215f2e

          SHA256

          28c9f7564a7df8973c2f9a3a375955a3028d88617491ddb239768dd5e9fb77a5

          SHA512

          4db39ee86eccb158ac9e87b9bd926f5543eef401d19169952c06e30fc0664164fc0c8db27000546ab7cede52aa36c02ad183e699d41c940c0eded3dca7e44318

        • C:\Users\Admin\AppData\Local\Temp\1016688001\43cf0fb499.exe

          Filesize

          758KB

          MD5

          afd936e441bf5cbdb858e96833cc6ed3

          SHA1

          3491edd8c7caf9ae169e21fb58bccd29d95aefef

          SHA256

          c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf

          SHA512

          928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325

        • C:\Users\Admin\AppData\Local\Temp\1016689001\e9af4c7f3b.exe

          Filesize

          4.2MB

          MD5

          079795064f41b5e6be3580417649285b

          SHA1

          25f3575baaf1808837cc6cefa61e340d5f6b8352

          SHA256

          40147209edc2604a1d653bf65890c705939237f79a43ec544dfc74343777923c

          SHA512

          dc0ec23df0f74aa4f6ee48b1e0a8b5c70067daade43090debc504f561cf75de92893f202c1eb28fef4f6bdb420fac1cac191a01fc4bad60ba8b7ed26fbd6beec

        • C:\Users\Admin\AppData\Local\Temp\1016690001\475ff6d638.exe

          Filesize

          4.2MB

          MD5

          62f3849cef2ef1f8210727a558f9017b

          SHA1

          43ee32a6fca4c1182f3669a4af4dc3ab23c028b4

          SHA256

          f7879073e27c916f86ed3da35dd0c38918abd3962c9c2b8738564e282a138ec6

          SHA512

          bb2bfc58c096b8a71fb720d3fd04641dbce70131bd4ecf253ecd3ed4ab54302da27ad6490897f2f7c2cd9de546cba997b5921cf669bb222fb938f60d18ab4296

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3kidyqqi.d5a.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

          Filesize

          2.8MB

          MD5

          bf03b982421c50b3c232a902eed53e31

          SHA1

          5f1bdec3bf5ef51e982ebd35ef62d4ab461891bd

          SHA256

          ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249

          SHA512

          dd77759327f5bac2cbb935de95e4d9c57931a548715fb7de041d8367b4e98a0ef2476577d399ef2c84a9b2f26516abf579575949bfd7917bd83ce2f9f91fdfd1

        • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

          Filesize

          1.6MB

          MD5

          72491c7b87a7c2dd350b727444f13bb4

          SHA1

          1e9338d56db7ded386878eab7bb44b8934ab1bc7

          SHA256

          34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

          SHA512

          583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe

          Filesize

          458KB

          MD5

          619f7135621b50fd1900ff24aade1524

          SHA1

          6c7ea8bbd435163ae3945cbef30ef6b9872a4591

          SHA256

          344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

          SHA512

          2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

        • C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

          Filesize

          2.2MB

          MD5

          579a63bebccbacab8f14132f9fc31b89

          SHA1

          fca8a51077d352741a9c1ff8a493064ef5052f27

          SHA256

          0ac3504d5fa0460cae3c0fd9c4b628e1a65547a60563e6d1f006d17d5a6354b0

          SHA512

          4a58ca0f392187a483b9ef652b6e8b2e60d01daa5d331549df9f359d2c0a181e975cf9df79552e3474b9d77f8e37a1cf23725f32d4cdbe4885e257a7625f7b1f

        • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

          Filesize

          1.7MB

          MD5

          5659eba6a774f9d5322f249ad989114a

          SHA1

          4bfb12aa98a1dc2206baa0ac611877b815810e4c

          SHA256

          e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4

          SHA512

          f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4

        • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

          Filesize

          1.7MB

          MD5

          5404286ec7853897b3ba00adf824d6c1

          SHA1

          39e543e08b34311b82f6e909e1e67e2f4afec551

          SHA256

          ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266

          SHA512

          c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30

        • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

          Filesize

          1.7MB

          MD5

          5eb39ba3698c99891a6b6eb036cfb653

          SHA1

          d2f1cdd59669f006a2f1aa9214aeed48bc88c06e

          SHA256

          e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2

          SHA512

          6c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e

        • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

          Filesize

          1.7MB

          MD5

          7187cc2643affab4ca29d92251c96dee

          SHA1

          ab0a4de90a14551834e12bb2c8c6b9ee517acaf4

          SHA256

          c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830

          SHA512

          27985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3

        • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

          Filesize

          1.7MB

          MD5

          b7d1e04629bec112923446fda5391731

          SHA1

          814055286f963ddaa5bf3019821cb8a565b56cb8

          SHA256

          4da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789

          SHA512

          79fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db

        • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

          Filesize

          1.7MB

          MD5

          0dc4014facf82aa027904c1be1d403c1

          SHA1

          5e6d6c020bfc2e6f24f3d237946b0103fe9b1831

          SHA256

          a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7

          SHA512

          cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028

        • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

          Filesize

          3.3MB

          MD5

          cea368fc334a9aec1ecff4b15612e5b0

          SHA1

          493d23f72731bb570d904014ffdacbba2334ce26

          SHA256

          07e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541

          SHA512

          bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748

        • C:\Users\Admin\AppData\Local\Temp\main\file.bin

          Filesize

          3.3MB

          MD5

          045b0a3d5be6f10ddf19ae6d92dfdd70

          SHA1

          0387715b6681d7097d372cd0005b664f76c933c7

          SHA256

          94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d

          SHA512

          58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b

        • C:\Users\Admin\AppData\Local\Temp\main\in.exe

          Filesize

          1.7MB

          MD5

          83d75087c9bf6e4f07c36e550731ccde

          SHA1

          d5ff596961cce5f03f842cfd8f27dde6f124e3ae

          SHA256

          46db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f

          SHA512

          044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a

        • C:\Users\Admin\AppData\Local\Temp\main\main.bat

          Filesize

          440B

          MD5

          3626532127e3066df98e34c3d56a1869

          SHA1

          5fa7102f02615afde4efd4ed091744e842c63f78

          SHA256

          2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca

          SHA512

          dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd

        • memory/1120-153-0x00007FFACA290000-0x00007FFACA485000-memory.dmp

          Filesize

          2.0MB

        • memory/1120-152-0x0000000001280000-0x0000000001680000-memory.dmp

          Filesize

          4.0MB

        • memory/1120-150-0x0000000000C70000-0x0000000000C7A000-memory.dmp

          Filesize

          40KB

        • memory/1120-155-0x0000000076640000-0x0000000076855000-memory.dmp

          Filesize

          2.1MB

        • memory/1192-194-0x0000000000EF0000-0x0000000001B5E000-memory.dmp

          Filesize

          12.4MB

        • memory/1192-214-0x0000000000EF0000-0x0000000001B5E000-memory.dmp

          Filesize

          12.4MB

        • memory/1192-234-0x0000000000EF0000-0x0000000001B5E000-memory.dmp

          Filesize

          12.4MB

        • memory/1680-125-0x00000272483F0000-0x0000027248412000-memory.dmp

          Filesize

          136KB

        • memory/2108-175-0x0000000000400000-0x0000000000456000-memory.dmp

          Filesize

          344KB

        • memory/2108-177-0x0000000000400000-0x0000000000456000-memory.dmp

          Filesize

          344KB

        • memory/2348-270-0x00007FF79C520000-0x00007FF79C9B0000-memory.dmp

          Filesize

          4.6MB

        • memory/2756-22-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/2756-252-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/2756-284-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/2756-282-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/2756-286-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/2756-61-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/2756-60-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/2756-41-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/2756-235-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/2756-253-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/2756-21-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/2756-285-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/2756-287-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/2756-178-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/2756-19-0x0000000000A61000-0x0000000000A8F000-memory.dmp

          Filesize

          184KB

        • memory/2756-20-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/2756-195-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/2756-251-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/2756-250-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/2756-249-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/2756-16-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/3064-222-0x0000000140000000-0x0000000140770000-memory.dmp

          Filesize

          7.4MB

        • memory/3064-236-0x0000000140000000-0x0000000140770000-memory.dmp

          Filesize

          7.4MB

        • memory/3064-231-0x0000000000540000-0x0000000000560000-memory.dmp

          Filesize

          128KB

        • memory/3064-220-0x0000000140000000-0x0000000140770000-memory.dmp

          Filesize

          7.4MB

        • memory/3064-221-0x0000000140000000-0x0000000140770000-memory.dmp

          Filesize

          7.4MB

        • memory/3064-232-0x0000000140000000-0x0000000140770000-memory.dmp

          Filesize

          7.4MB

        • memory/3064-223-0x0000000140000000-0x0000000140770000-memory.dmp

          Filesize

          7.4MB

        • memory/3064-224-0x0000000140000000-0x0000000140770000-memory.dmp

          Filesize

          7.4MB

        • memory/3064-225-0x0000000140000000-0x0000000140770000-memory.dmp

          Filesize

          7.4MB

        • memory/3064-227-0x0000000140000000-0x0000000140770000-memory.dmp

          Filesize

          7.4MB

        • memory/3064-226-0x0000000140000000-0x0000000140770000-memory.dmp

          Filesize

          7.4MB

        • memory/3064-230-0x0000000140000000-0x0000000140770000-memory.dmp

          Filesize

          7.4MB

        • memory/3556-219-0x00007FF79C520000-0x00007FF79C9B0000-memory.dmp

          Filesize

          4.6MB

        • memory/3556-229-0x00007FF79C520000-0x00007FF79C9B0000-memory.dmp

          Filesize

          4.6MB

        • memory/3744-212-0x0000000000340000-0x0000000000F6E000-memory.dmp

          Filesize

          12.2MB

        • memory/3744-211-0x0000000000340000-0x0000000000F6E000-memory.dmp

          Filesize

          12.2MB

        • memory/3976-265-0x0000000140000000-0x0000000140770000-memory.dmp

          Filesize

          7.4MB

        • memory/3976-271-0x0000000140000000-0x0000000140770000-memory.dmp

          Filesize

          7.4MB

        • memory/3976-267-0x0000000140000000-0x0000000140770000-memory.dmp

          Filesize

          7.4MB

        • memory/4648-216-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/4648-217-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/4700-269-0x0000000000A60000-0x0000000000D6F000-memory.dmp

          Filesize

          3.1MB

        • memory/4720-3-0x0000000000780000-0x0000000000A8F000-memory.dmp

          Filesize

          3.1MB

        • memory/4720-1-0x00000000772D4000-0x00000000772D6000-memory.dmp

          Filesize

          8KB

        • memory/4720-0-0x0000000000780000-0x0000000000A8F000-memory.dmp

          Filesize

          3.1MB

        • memory/4720-18-0x0000000000780000-0x0000000000A8F000-memory.dmp

          Filesize

          3.1MB

        • memory/4720-2-0x0000000000781000-0x00000000007AF000-memory.dmp

          Filesize

          184KB

        • memory/4720-4-0x0000000000780000-0x0000000000A8F000-memory.dmp

          Filesize

          3.1MB

        • memory/4732-149-0x0000000076640000-0x0000000076855000-memory.dmp

          Filesize

          2.1MB

        • memory/4732-157-0x0000000000080000-0x0000000000542000-memory.dmp

          Filesize

          4.8MB

        • memory/4732-147-0x00007FFACA290000-0x00007FFACA485000-memory.dmp

          Filesize

          2.0MB

        • memory/4732-146-0x0000000005320000-0x0000000005720000-memory.dmp

          Filesize

          4.0MB

        • memory/4732-145-0x0000000005320000-0x0000000005720000-memory.dmp

          Filesize

          4.0MB

        • memory/4732-143-0x0000000000080000-0x0000000000542000-memory.dmp

          Filesize

          4.8MB

        • memory/4900-114-0x00007FF645730000-0x00007FF645BC0000-memory.dmp

          Filesize

          4.6MB

        • memory/4900-112-0x00007FF645730000-0x00007FF645BC0000-memory.dmp

          Filesize

          4.6MB