povertystealer | 7741cd9265cbb2052bfa489dc62a467b00362e720632c3d620ea939da7d756ce

Analysis

max time kernel
66s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sansayrex.rar
Size

2.7MB
MD5

ab3fc014b70ca478c3d69087822bd477
SHA1

7af220ee31e5c62b7594f708b5db767cfc636577
SHA256

7741cd9265cbb2052bfa489dc62a467b00362e720632c3d620ea939da7d756ce
SHA512

c3757cda1eabb927a19c3e69cc5783e179a1ad1b6b8ce878a1738f69f695dc3a15002e64993d9b87a11cb6e0fb77a7887c5d4e14286c0f642107fb49613f2e92
SSDEEP

49152:58STJCYouFTPJo/3tPo6PXc7cntnFqxxDTUK/f2hKt87ip1Rrf3lsVma463EHqPL:51Tvfo/3twFcDqXf5/87A3lK3EKPgm35

Score

10^/10

povertystealer discovery stealer

Malware Config

Signatures

Detect Poverty Stealer Payload 5 IoCs

resource	yara_rule
behavioral1/memory/5080-276-0x0000000000510000-0x000000000051A000-memory.dmp	family_povertystealer
behavioral1/memory/5080-281-0x0000000000510000-0x000000000051A000-memory.dmp	family_povertystealer
behavioral1/memory/5080-282-0x0000000000510000-0x000000000051A000-memory.dmp	family_povertystealer
behavioral1/memory/5080-284-0x0000000000510000-0x000000000051A000-memory.dmp	family_povertystealer
behavioral1/memory/5080-285-0x0000000000510000-0x000000000051A000-memory.dmp	family_povertystealer

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer
Povertystealer family
povertystealer

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	sansayrex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	sansayrex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	sansayrex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	sansayrex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	sansayrex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	sansayrex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	sansayrex.exe

Executes dropped EXE 49 IoCs

pid	Process
916	sansayrex.exe
2528	7z.exe
6024	7z.exe
6020	7z.exe
1376	7z.exe
3068	7z.exe
4000	svchosts64.exe
4116	sansayrex.exe
2616	7z.exe
2308	7z.exe
5556	7z.exe
1360	7z.exe
2904	7z.exe
320	svchosts64.exe
5832	sansayrex.exe
2480	7z.exe
5948	7z.exe
1788	7z.exe
3416	7z.exe
4048	7z.exe
2508	svchosts64.exe
5644	sansayrex.exe
2836	7z.exe
1668	7z.exe
1688	7z.exe
1288	7z.exe
5316	7z.exe
1740	svchosts64.exe
2588	sansayrex.exe
5192	sansayrex.exe
5868	7z.exe
2616	7z.exe
2308	7z.exe
5212	7z.exe
5556	7z.exe
1364	svchosts64.exe
4092	7z.exe
3500	7z.exe
2016	7z.exe
4228	7z.exe
3764	7z.exe
3660	svchosts64.exe
1592	sansayrex.exe
1532	7z.exe
1504	7z.exe
5532	7z.exe
5892	7z.exe
1084	7z.exe
5784	svchosts64.exe

Loads dropped DLL 35 IoCs

pid	Process
2528	7z.exe
6024	7z.exe
6020	7z.exe
1376	7z.exe
3068	7z.exe
2616	7z.exe
2308	7z.exe
5556	7z.exe
1360	7z.exe
2904	7z.exe
2480	7z.exe
5948	7z.exe
1788	7z.exe
3416	7z.exe
4048	7z.exe
2836	7z.exe
1668	7z.exe
1688	7z.exe
1288	7z.exe
5316	7z.exe
5868	7z.exe
2616	7z.exe
2308	7z.exe
5212	7z.exe
5556	7z.exe
4092	7z.exe
3500	7z.exe
2016	7z.exe
4228	7z.exe
3764	7z.exe
1532	7z.exe
1504	7z.exe
5532	7z.exe
5892	7z.exe
1084	7z.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4000 set thread context of 5080	4000	svchosts64.exe	178

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sansayrex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sansayrex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sansayrex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sansayrex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sansayrex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sansayrex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sansayrex.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	OpenWith.exe

Modifies system certificate store 2 TTPs 4 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB	svchosts64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 03000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb965c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf4b0000000100000044000000300037004300450046003200460036003500340045003300450044003600300035003000460046004300390042003600450042003800340034003200350030005f00000020000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f	svchosts64.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	svchosts64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	svchosts64.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
4464	NOTEPAD.EXE
3180	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1460	7zFM.exe
5692	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1460	7zFM.exe
Token: 35	1460	7zFM.exe
Token: SeSecurityPrivilege	1460	7zFM.exe
Token: SeRestorePrivilege	2528	7z.exe
Token: 35	2528	7z.exe
Token: SeSecurityPrivilege	2528	7z.exe
Token: SeSecurityPrivilege	2528	7z.exe
Token: SeRestorePrivilege	6024	7z.exe
Token: 35	6024	7z.exe
Token: SeSecurityPrivilege	6024	7z.exe
Token: SeSecurityPrivilege	6024	7z.exe
Token: SeRestorePrivilege	6020	7z.exe
Token: 35	6020	7z.exe
Token: SeSecurityPrivilege	6020	7z.exe
Token: SeSecurityPrivilege	6020	7z.exe
Token: SeRestorePrivilege	1376	7z.exe
Token: 35	1376	7z.exe
Token: SeSecurityPrivilege	1376	7z.exe
Token: SeSecurityPrivilege	1376	7z.exe
Token: SeRestorePrivilege	3068	7z.exe
Token: 35	3068	7z.exe
Token: SeSecurityPrivilege	3068	7z.exe
Token: SeSecurityPrivilege	3068	7z.exe
Token: SeDebugPrivilege	5096	taskmgr.exe
Token: SeSystemProfilePrivilege	5096	taskmgr.exe
Token: SeCreateGlobalPrivilege	5096	taskmgr.exe
Token: 33	5096	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5096	taskmgr.exe
Token: SeRestorePrivilege	2616	7z.exe
Token: 35	2616	7z.exe
Token: SeSecurityPrivilege	2616	7z.exe
Token: SeSecurityPrivilege	2616	7z.exe
Token: SeRestorePrivilege	2308	7z.exe
Token: 35	2308	7z.exe
Token: SeSecurityPrivilege	2308	7z.exe
Token: SeSecurityPrivilege	2308	7z.exe
Token: SeRestorePrivilege	5556	7z.exe
Token: 35	5556	7z.exe
Token: SeSecurityPrivilege	5556	7z.exe
Token: SeSecurityPrivilege	5556	7z.exe
Token: SeRestorePrivilege	1360	7z.exe
Token: 35	1360	7z.exe
Token: SeSecurityPrivilege	1360	7z.exe
Token: SeSecurityPrivilege	1360	7z.exe
Token: SeRestorePrivilege	2904	7z.exe
Token: 35	2904	7z.exe
Token: SeSecurityPrivilege	2904	7z.exe
Token: SeSecurityPrivilege	2904	7z.exe
Token: SeRestorePrivilege	2480	7z.exe
Token: 35	2480	7z.exe
Token: SeSecurityPrivilege	2480	7z.exe
Token: SeSecurityPrivilege	2480	7z.exe
Token: SeRestorePrivilege	5948	7z.exe
Token: 35	5948	7z.exe
Token: SeSecurityPrivilege	5948	7z.exe
Token: SeSecurityPrivilege	5948	7z.exe
Token: SeRestorePrivilege	1788	7z.exe
Token: 35	1788	7z.exe
Token: SeSecurityPrivilege	1788	7z.exe
Token: SeSecurityPrivilege	1788	7z.exe
Token: SeRestorePrivilege	3416	7z.exe
Token: 35	3416	7z.exe
Token: SeSecurityPrivilege	3416	7z.exe
Token: SeSecurityPrivilege	3416	7z.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
1460	7zFM.exe
1460	7zFM.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe
5096	taskmgr.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 3652	916	sansayrex.exe	99
PID 916 wrote to memory of 3652	916	sansayrex.exe	99
PID 3652 wrote to memory of 400	3652	cmd.exe	101
PID 3652 wrote to memory of 400	3652	cmd.exe	101
PID 3652 wrote to memory of 2528	3652	cmd.exe	102
PID 3652 wrote to memory of 2528	3652	cmd.exe	102
PID 3652 wrote to memory of 6024	3652	cmd.exe	103
PID 3652 wrote to memory of 6024	3652	cmd.exe	103
PID 3652 wrote to memory of 6020	3652	cmd.exe	104
PID 3652 wrote to memory of 6020	3652	cmd.exe	104
PID 3652 wrote to memory of 1376	3652	cmd.exe	105
PID 3652 wrote to memory of 1376	3652	cmd.exe	105
PID 3652 wrote to memory of 3068	3652	cmd.exe	106
PID 3652 wrote to memory of 3068	3652	cmd.exe	106
PID 3652 wrote to memory of 1496	3652	cmd.exe	107
PID 3652 wrote to memory of 1496	3652	cmd.exe	107
PID 3652 wrote to memory of 4000	3652	cmd.exe	108
PID 3652 wrote to memory of 4000	3652	cmd.exe	108
PID 3652 wrote to memory of 4000	3652	cmd.exe	108
PID 4116 wrote to memory of 5776	4116	sansayrex.exe	113
PID 4116 wrote to memory of 5776	4116	sansayrex.exe	113
PID 5776 wrote to memory of 5196	5776	cmd.exe	115
PID 5776 wrote to memory of 5196	5776	cmd.exe	115
PID 5776 wrote to memory of 2616	5776	cmd.exe	116
PID 5776 wrote to memory of 2616	5776	cmd.exe	116
PID 5776 wrote to memory of 2308	5776	cmd.exe	118
PID 5776 wrote to memory of 2308	5776	cmd.exe	118
PID 5776 wrote to memory of 5556	5776	cmd.exe	119
PID 5776 wrote to memory of 5556	5776	cmd.exe	119
PID 5776 wrote to memory of 1360	5776	cmd.exe	120
PID 5776 wrote to memory of 1360	5776	cmd.exe	120
PID 5776 wrote to memory of 2904	5776	cmd.exe	121
PID 5776 wrote to memory of 2904	5776	cmd.exe	121
PID 5776 wrote to memory of 3088	5776	cmd.exe	122
PID 5776 wrote to memory of 3088	5776	cmd.exe	122
PID 5776 wrote to memory of 320	5776	cmd.exe	123
PID 5776 wrote to memory of 320	5776	cmd.exe	123
PID 5776 wrote to memory of 320	5776	cmd.exe	123
PID 5832 wrote to memory of 1860	5832	sansayrex.exe	125
PID 5832 wrote to memory of 1860	5832	sansayrex.exe	125
PID 1860 wrote to memory of 3268	1860	cmd.exe	127
PID 1860 wrote to memory of 3268	1860	cmd.exe	127
PID 1860 wrote to memory of 2480	1860	cmd.exe	128
PID 1860 wrote to memory of 2480	1860	cmd.exe	128
PID 1860 wrote to memory of 5948	1860	cmd.exe	129
PID 1860 wrote to memory of 5948	1860	cmd.exe	129
PID 1860 wrote to memory of 1788	1860	cmd.exe	130
PID 1860 wrote to memory of 1788	1860	cmd.exe	130
PID 1860 wrote to memory of 3416	1860	cmd.exe	131
PID 1860 wrote to memory of 3416	1860	cmd.exe	131
PID 1860 wrote to memory of 4048	1860	cmd.exe	132
PID 1860 wrote to memory of 4048	1860	cmd.exe	132
PID 1860 wrote to memory of 3544	1860	cmd.exe	133
PID 1860 wrote to memory of 3544	1860	cmd.exe	133
PID 1860 wrote to memory of 2508	1860	cmd.exe	134
PID 1860 wrote to memory of 2508	1860	cmd.exe	134
PID 1860 wrote to memory of 2508	1860	cmd.exe	134
PID 5644 wrote to memory of 1508	5644	sansayrex.exe	142
PID 5644 wrote to memory of 1508	5644	sansayrex.exe	142
PID 1508 wrote to memory of 5932	1508	cmd.exe	144
PID 1508 wrote to memory of 5932	1508	cmd.exe	144
PID 1508 wrote to memory of 2836	1508	cmd.exe	145
PID 1508 wrote to memory of 2836	1508	cmd.exe	145
PID 1508 wrote to memory of 1668	1508	cmd.exe	146

Views/modifies file attributes 1 TTPs 7 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
6084	attrib.exe
6104	attrib.exe
2860	attrib.exe
1496	attrib.exe
3088	attrib.exe
3544	attrib.exe
4396	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\sansayrex.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1460

C:\Users\Admin\Desktop\sansayrex.exe
"C:\Users\Admin\Desktop\sansayrex.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:400
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p1803731966274227689315228169 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:6024
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:6020
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1376
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- - C:\Windows\system32\attrib.exe
    attrib +H "svchosts64.exe"
    3⤵
    - Views/modifies file attributes
    PID:1496
- - C:\Users\Admin\AppData\Local\Temp\main\svchosts64.exe
    "svchosts64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:4000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5080

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5096

C:\Users\Admin\Desktop\sansayrex.exe
"C:\Users\Admin\Desktop\sansayrex.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5776
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:5196
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p1803731966274227689315228169 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2308
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:5556
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1360
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
- - C:\Windows\system32\attrib.exe
    attrib +H "svchosts64.exe"
    3⤵
    - Views/modifies file attributes
    PID:3088
- - C:\Users\Admin\AppData\Local\Temp\main\svchosts64.exe
    "svchosts64.exe"
    3⤵
    - Executes dropped EXE
    PID:320

C:\Users\Admin\Desktop\sansayrex.exe
"C:\Users\Admin\Desktop\sansayrex.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:3268
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p1803731966274227689315228169 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2480
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:5948
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3416
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4048
- - C:\Windows\system32\attrib.exe
    attrib +H "svchosts64.exe"
    3⤵
    - Views/modifies file attributes
    PID:3544
- - C:\Users\Admin\AppData\Local\Temp\main\svchosts64.exe
    "svchosts64.exe"
    3⤵
    - Executes dropped EXE
    PID:2508

C:\Users\Admin\Desktop\sansayrex.exe
"C:\Users\Admin\Desktop\sansayrex.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:5932
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p1803731966274227689315228169 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2836
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1668
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1688
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1288
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5316
- - C:\Windows\system32\attrib.exe
    attrib +H "svchosts64.exe"
    3⤵
    - Views/modifies file attributes
    PID:4396
- - C:\Users\Admin\AppData\Local\Temp\main\svchosts64.exe
    "svchosts64.exe"
    3⤵
    - Executes dropped EXE
    PID:1740

C:\Users\Admin\Desktop\sansayrex.exe
"C:\Users\Admin\Desktop\sansayrex.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  PID:1416
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:5172
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p1803731966274227689315228169 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5868
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2616
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2308
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5212
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5556
- - C:\Windows\system32\attrib.exe
    attrib +H "svchosts64.exe"
    3⤵
    - Views/modifies file attributes
    PID:6084
- - C:\Users\Admin\AppData\Local\Temp\main\svchosts64.exe
    "svchosts64.exe"
    3⤵
    - Executes dropped EXE
    PID:1364

C:\Users\Admin\Desktop\sansayrex.exe
"C:\Users\Admin\Desktop\sansayrex.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  PID:1976
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:4180
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p1803731966274227689315228169 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4092
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3500
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2016
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4228
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3764
- - C:\Windows\system32\attrib.exe
    attrib +H "svchosts64.exe"
    3⤵
    - Views/modifies file attributes
    PID:6104
- - C:\Users\Admin\AppData\Local\Temp\main\svchosts64.exe
    "svchosts64.exe"
    3⤵
    - Executes dropped EXE
    PID:3660

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1920

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Languages\eng.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4464

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5692
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\config1.cfg
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3180

C:\Users\Admin\Desktop\sansayrex.exe
"C:\Users\Admin\Desktop\sansayrex.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  PID:1128
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:5208
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p1803731966274227689315228169 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1532
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1504
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5532
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5892
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1084
- - C:\Windows\system32\attrib.exe
    attrib +H "svchosts64.exe"
    3⤵
    - Views/modifies file attributes
    PID:2860
- - C:\Users\Admin\AppData\Local\Temp\main\svchosts64.exe
    "svchosts64.exe"
    3⤵
    - Executes dropped EXE
    PID:5784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\KillDuplicate.cmd

Filesize
222B

MD5
68cecdf24aa2fd011ece466f00ef8450

SHA1
2f859046187e0d5286d0566fac590b1836f6e1b7

SHA256
64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770

SHA512
471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.3MB

MD5
7ec81b32f50f2f3be75fcdd71c770870

SHA1
19b57914116cc6ec81689a2278ace755ac1a791b

SHA256
59b61865020484143818596573bfde2f34120f0a2dd525d191f8a26d5ca3080c

SHA512
8bd18dd66fe486ab14c2ab37d8ab0bf211846353b0508452595a01bf11455291b602ce21418a6cd97b39ba2b65d62c819532add59be4de0c2bce6c3254c81602

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
101KB

MD5
17433c6e255de602f9c44d856024bf16

SHA1
2d896cb5c4ffe22e4e0afa9527a9d6e4e70b26f6

SHA256
7e8d58f95491f109f785663c9721617ff95d16e759701d66fa8d297a83ed8f48

SHA512
3ceaa6d2ac15f9efc81f18fa36213f3c50a29e5caa44fa130a94a575cadf723b2c726aa91851052d4a349438f8a20bf0e2734cce7cb1e28c95dc049122595dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
101KB

MD5
67109fde879af1ca9ef5e5d5d9a19f9a

SHA1
410cc3bf7c947edb1768975da32f84dcd9de5aa2

SHA256
2d026e24e9020251182e2e2b2ac3325b417352ed3b95beff416d2f1219b5b940

SHA512
d8e52c56c0eb278669e11acdb3829ec2b43d526bf0af64af7d949a703ef6357855af42512d54408ddb9526c4deb148060c9f110df90ffe2b76ce6a0f5012601d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
101KB

MD5
fdec2403c7ad8bf740a2091b57f274e5

SHA1
e22542647169038d571241af64c9f71a3e5f5973

SHA256
b543750a8c4ba46d3c2d4d644b03229c3f1334074a0b8bf644030ae48e598fa6

SHA512
a13dbafdd44249bf23acc1ed9d7fbbab5b96399cad2a0a7ecd908f2e996632daac42f4d721621b67c05809f1bba44a5be20bad40d26134251de064cbdd92ed3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
1.7MB

MD5
fd00fa1f1c0192845e3c44cbd4d5bbab

SHA1
9e12b3cb87b1742ab44e75de1c57f9d213161a7b

SHA256
4ee135e34c3fb1fef1676edf7116ca0cb4a3d059cbff5777714fd553dfd594b7

SHA512
a152fd49a320f92d8cbb82badad16d98d9990fd1db9d13e9cdc075de1ac367414d1353e8d278954ae2c32d95fc81f0774b6ad79f88d5755488506747cb495c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.7MB

MD5
239b7b01a0a653b79e241112d31ad859

SHA1
c1a0be543bbe3dd686252a0193c33f43f80fad8f

SHA256
b295d6686aedf46611587ac06cbf214cf80dec59c05050a32d50d524bcf89963

SHA512
f42667f9be2ad592ba06361a12b89842d4717adcf93163304e5019ccdc2c53665fc9707f0652bab834c697f5827a1f0fd3275250f940833c12216900f9aca2f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
479B

MD5
4ab2e0a497fed95a60c88c38490792e3

SHA1
bf384d79104af541bde5fdfa6f55ef689ba44f56

SHA256
28225a667c6a973d5cd2fb05ba2b0c9c3d258d5b9cde93bcae42fb826f959486

SHA512
d5af5132eddce82ee657c0e52386f0f44f6c99083605311a017b15ac1feaa9c239c30613a5224540c222fc7c4cff21eb9c1ae0ee18be3557bf6205beaabbfe2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\svchosts64.exe

Filesize
199KB

MD5
66cad6cec7c006160d7ee00e68d3e613

SHA1
214d38110bd8dd537f065c14d9edb1d516b215aa

SHA256
52409566790c9ce35688f0fb96596a1d62912733618ddc1a4467c58d901fc760

SHA512
a2a6c47816943641f968579bc40402f6542b44b19f81a9ed736a096d3322e274454e458da9698f13b58ac18463a6f2b7591413924239b40f11952a3c5e0ee836

Download Submit
C:\Users\Admin\Desktop\sansayrex.exe

Filesize
2.6MB

MD5
a25d399bfbb718f733d4113e44f33020

SHA1
1334d12a30e493d3a766462bccd81750b5268b9c

SHA256
892535a44436246917c024c5ee1b88329f40a349e50b62ad418a6fb4f7455c2f

SHA512
d3f19995ba0ca103b0f2973ea3b357e039c1bc66584c3028c462bfac9e443895de85fffc70ac2ada6e9fe95ecb613f0e4691f02f2d9cd237745710b5ab266cca

Download Submit
memory/5080-285-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/5080-284-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/5080-282-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/5080-281-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/5080-276-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/5096-61-0x0000013046700000-0x0000013046701000-memory.dmp

Filesize
4KB

Download
memory/5096-70-0x0000013046700000-0x0000013046701000-memory.dmp

Filesize
4KB

Download
memory/5096-66-0x0000013046700000-0x0000013046701000-memory.dmp

Filesize
4KB

Download
memory/5096-67-0x0000013046700000-0x0000013046701000-memory.dmp

Filesize
4KB

Download
memory/5096-71-0x0000013046700000-0x0000013046701000-memory.dmp

Filesize
4KB

Download
memory/5096-69-0x0000013046700000-0x0000013046701000-memory.dmp

Filesize
4KB

Download
memory/5096-72-0x0000013046700000-0x0000013046701000-memory.dmp

Filesize
4KB

Download
memory/5096-68-0x0000013046700000-0x0000013046701000-memory.dmp

Filesize
4KB

Download
memory/5096-60-0x0000013046700000-0x0000013046701000-memory.dmp

Filesize
4KB

Download
memory/5096-62-0x0000013046700000-0x0000013046701000-memory.dmp

Filesize
4KB

Download