Malware Analysis Report

2025-06-16 05:18

Sample ID 220206-mnpncahfaq
Target 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631
SHA256 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631
Tags
cryptbot discovery evasion spyware stealer suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631

Threat Level: Known bad

The file 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery evasion spyware stealer suricata

CryptBot

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

CryptBot Payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Blocklisted process makes network request

Reads user/profile data of web browsers

Loads dropped DLL

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-06 10:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-06 10:36

Reported

2022-02-06 10:39

Platform

win7-en-20211208

Max time kernel

157s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A

suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

suricata

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1512 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 1512 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 1512 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 1512 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 1764 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 684 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 684 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 684 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1512 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 1512 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 1512 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 1512 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 1512 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 1512 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 1512 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 1552 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Windows\SysWOW64\cscript.exe
PID 1552 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Windows\SysWOW64\cscript.exe
PID 1552 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Windows\SysWOW64\cscript.exe
PID 1552 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Windows\SysWOW64\cscript.exe
PID 1552 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe
PID 1552 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe
PID 1552 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe
PID 1552 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe
PID 1552 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe
PID 1552 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe
PID 1552 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe

"C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe" >> NUL

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\cscript.exe

"cscript.exe" pub2.vbs //e:vbscript //NOLOGO

C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe

"C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe" /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.rationalowl.com udp
KR 211.239.150.87:443 www.rationalowl.com tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 nkoopw13.top udp

Files

memory/1512-54-0x0000000076001000-0x0000000076003000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 8f2a62627b2f078181b1c94666988121
SHA1 5b87477abdde9bf1bf7f5db877a0a11ef805099d
SHA256 fcc0a27322e855794eff2c2e5598647dca7cf095ece49dbdd5676f4a18c6c66e
SHA512 93cdae1cb29bb680be616f795c5a01e73b99b8dc89e62773a3897ca7a773f4ea8bcaf218c92d6e39498e89263dc4e7ff798984fccb4879312dfb32c5c94b30d4

\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 8f2a62627b2f078181b1c94666988121
SHA1 5b87477abdde9bf1bf7f5db877a0a11ef805099d
SHA256 fcc0a27322e855794eff2c2e5598647dca7cf095ece49dbdd5676f4a18c6c66e
SHA512 93cdae1cb29bb680be616f795c5a01e73b99b8dc89e62773a3897ca7a773f4ea8bcaf218c92d6e39498e89263dc4e7ff798984fccb4879312dfb32c5c94b30d4

\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 8f2a62627b2f078181b1c94666988121
SHA1 5b87477abdde9bf1bf7f5db877a0a11ef805099d
SHA256 fcc0a27322e855794eff2c2e5598647dca7cf095ece49dbdd5676f4a18c6c66e
SHA512 93cdae1cb29bb680be616f795c5a01e73b99b8dc89e62773a3897ca7a773f4ea8bcaf218c92d6e39498e89263dc4e7ff798984fccb4879312dfb32c5c94b30d4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 8f2a62627b2f078181b1c94666988121
SHA1 5b87477abdde9bf1bf7f5db877a0a11ef805099d
SHA256 fcc0a27322e855794eff2c2e5598647dca7cf095ece49dbdd5676f4a18c6c66e
SHA512 93cdae1cb29bb680be616f795c5a01e73b99b8dc89e62773a3897ca7a773f4ea8bcaf218c92d6e39498e89263dc4e7ff798984fccb4879312dfb32c5c94b30d4

memory/1764-61-0x0000000000190000-0x000000000019D000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 6e0d07af48858d4cc0ff85d1b26040ce
SHA1 fa48158e9d9b1421da0ff2ab618de1290f7e2591
SHA256 f2c635105e9c8e1483af6beae876097a484ea417cb808c45c9f69e61298043af
SHA512 98c3bb4a3a3425b94b7aa290d8a0c40486dacb805553781d82004e8b2bdf9f2bc5f311c08ab8813dc9a6c98da9aea4b48a6cb4e099beda47dd3d8343f3503e39

\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 6e0d07af48858d4cc0ff85d1b26040ce
SHA1 fa48158e9d9b1421da0ff2ab618de1290f7e2591
SHA256 f2c635105e9c8e1483af6beae876097a484ea417cb808c45c9f69e61298043af
SHA512 98c3bb4a3a3425b94b7aa290d8a0c40486dacb805553781d82004e8b2bdf9f2bc5f311c08ab8813dc9a6c98da9aea4b48a6cb4e099beda47dd3d8343f3503e39

\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 6e0d07af48858d4cc0ff85d1b26040ce
SHA1 fa48158e9d9b1421da0ff2ab618de1290f7e2591
SHA256 f2c635105e9c8e1483af6beae876097a484ea417cb808c45c9f69e61298043af
SHA512 98c3bb4a3a3425b94b7aa290d8a0c40486dacb805553781d82004e8b2bdf9f2bc5f311c08ab8813dc9a6c98da9aea4b48a6cb4e099beda47dd3d8343f3503e39

\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 6e0d07af48858d4cc0ff85d1b26040ce
SHA1 fa48158e9d9b1421da0ff2ab618de1290f7e2591
SHA256 f2c635105e9c8e1483af6beae876097a484ea417cb808c45c9f69e61298043af
SHA512 98c3bb4a3a3425b94b7aa290d8a0c40486dacb805553781d82004e8b2bdf9f2bc5f311c08ab8813dc9a6c98da9aea4b48a6cb4e099beda47dd3d8343f3503e39

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 6e0d07af48858d4cc0ff85d1b26040ce
SHA1 fa48158e9d9b1421da0ff2ab618de1290f7e2591
SHA256 f2c635105e9c8e1483af6beae876097a484ea417cb808c45c9f69e61298043af
SHA512 98c3bb4a3a3425b94b7aa290d8a0c40486dacb805553781d82004e8b2bdf9f2bc5f311c08ab8813dc9a6c98da9aea4b48a6cb4e099beda47dd3d8343f3503e39

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 6e0d07af48858d4cc0ff85d1b26040ce
SHA1 fa48158e9d9b1421da0ff2ab618de1290f7e2591
SHA256 f2c635105e9c8e1483af6beae876097a484ea417cb808c45c9f69e61298043af
SHA512 98c3bb4a3a3425b94b7aa290d8a0c40486dacb805553781d82004e8b2bdf9f2bc5f311c08ab8813dc9a6c98da9aea4b48a6cb4e099beda47dd3d8343f3503e39

\Users\Admin\AppData\Local\Temp\nsq3DBB.tmp\Sibuia.dll

MD5 6a3c3c97e92a5949f88311e80268bbb5
SHA1 48c11e3f694b468479bc2c978749d27b5d03faa2
SHA256 7938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9
SHA512 6141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 8f2a62627b2f078181b1c94666988121
SHA1 5b87477abdde9bf1bf7f5db877a0a11ef805099d
SHA256 fcc0a27322e855794eff2c2e5598647dca7cf095ece49dbdd5676f4a18c6c66e
SHA512 93cdae1cb29bb680be616f795c5a01e73b99b8dc89e62773a3897ca7a773f4ea8bcaf218c92d6e39498e89263dc4e7ff798984fccb4879312dfb32c5c94b30d4

\Users\Admin\AppData\Local\Temp\sib3F04.tmp\SibClr.dll

MD5 5ea6d2ffeb1be3fc0571961d0c4c2b5f
SHA1 902dfe9ae735c83fb0cb46b3e110bbf2aa80209e
SHA256 508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222
SHA512 e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585

\Users\Admin\AppData\Local\Temp\sib3F04.tmp\SibClr.dll

MD5 5ea6d2ffeb1be3fc0571961d0c4c2b5f
SHA1 902dfe9ae735c83fb0cb46b3e110bbf2aa80209e
SHA256 508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222
SHA512 e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585

memory/1552-75-0x00000000109B0000-0x00000000109C2000-memory.dmp

memory/1552-77-0x0000000010AB1000-0x0000000010AB2000-memory.dmp

memory/1552-79-0x0000000010AB4000-0x0000000010AB5000-memory.dmp

memory/1552-78-0x0000000010AB3000-0x0000000010AB4000-memory.dmp

memory/1552-76-0x0000000010AB0000-0x0000000010AB1000-memory.dmp

memory/1552-80-0x0000000010AB5000-0x0000000010AB7000-memory.dmp

memory/1552-81-0x00000000109F0000-0x0000000010AAA000-memory.dmp

\Users\Admin\AppData\Local\Temp\sib3F04.tmp\SibCa.dll

MD5 24aefaf7250babe29b12ab17587ec1ee
SHA1 5aa46f21a02f58713bc25d4e3018b89a8dd6eada
SHA256 1cd6e4f5776956f27875731675694983c9ff8820b4f5f5b5a0073fc24d8f0f7e
SHA512 09134802303a44e145e73c5f8a938239e5ba6778ecc67e650c6223c3d132df48c5552cb39946d8d16deb2e6fe29c081fe89fbef4775f3aa5cf57fdee2b92d38a

\Users\Admin\AppData\Local\Temp\sib3F04.tmp\SibCa.dll

MD5 24aefaf7250babe29b12ab17587ec1ee
SHA1 5aa46f21a02f58713bc25d4e3018b89a8dd6eada
SHA256 1cd6e4f5776956f27875731675694983c9ff8820b4f5f5b5a0073fc24d8f0f7e
SHA512 09134802303a44e145e73c5f8a938239e5ba6778ecc67e650c6223c3d132df48c5552cb39946d8d16deb2e6fe29c081fe89fbef4775f3aa5cf57fdee2b92d38a

memory/1552-84-0x000000001C9F0000-0x000000001C9F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\0\pub2.vbs

MD5 0bd4f555971d265433425fe4fb9adf46
SHA1 b6eed2aaaa222a07e048180e72ab51455cac02ab
SHA256 1306304bb08fa2f043811a319b6178fd20dfd93c2d63265df061bedcc439b66b
SHA512 bde9ef524261d22f5bd83587536d0cf79ff772318ebe8b38a6d0431864efd9fc5016e767f020d9546a569a45e5b676dc52357f6db0b39e8b6c95785608b05d5f

\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe

MD5 da737990f1e57863620038a5e4f8e81b
SHA1 1af5f8dbeeb0a7a1ca284bdc1a31fe3129a779bb
SHA256 05e188f9b508c440b0327c421fdb035730b910509bd736a215ee23a95a120274
SHA512 529fcf4a98ee851e1b7e93349af254bcc7e05537c91befb6ef219654f60d29abd837e41ea4baa942a46383d92c5282625a8fc6c56d1b847176a132a6d4ce3be6

C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe

MD5 da737990f1e57863620038a5e4f8e81b
SHA1 1af5f8dbeeb0a7a1ca284bdc1a31fe3129a779bb
SHA256 05e188f9b508c440b0327c421fdb035730b910509bd736a215ee23a95a120274
SHA512 529fcf4a98ee851e1b7e93349af254bcc7e05537c91befb6ef219654f60d29abd837e41ea4baa942a46383d92c5282625a8fc6c56d1b847176a132a6d4ce3be6

C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe

MD5 da737990f1e57863620038a5e4f8e81b
SHA1 1af5f8dbeeb0a7a1ca284bdc1a31fe3129a779bb
SHA256 05e188f9b508c440b0327c421fdb035730b910509bd736a215ee23a95a120274
SHA512 529fcf4a98ee851e1b7e93349af254bcc7e05537c91befb6ef219654f60d29abd837e41ea4baa942a46383d92c5282625a8fc6c56d1b847176a132a6d4ce3be6

\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe

MD5 da737990f1e57863620038a5e4f8e81b
SHA1 1af5f8dbeeb0a7a1ca284bdc1a31fe3129a779bb
SHA256 05e188f9b508c440b0327c421fdb035730b910509bd736a215ee23a95a120274
SHA512 529fcf4a98ee851e1b7e93349af254bcc7e05537c91befb6ef219654f60d29abd837e41ea4baa942a46383d92c5282625a8fc6c56d1b847176a132a6d4ce3be6

\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe

MD5 da737990f1e57863620038a5e4f8e81b
SHA1 1af5f8dbeeb0a7a1ca284bdc1a31fe3129a779bb
SHA256 05e188f9b508c440b0327c421fdb035730b910509bd736a215ee23a95a120274
SHA512 529fcf4a98ee851e1b7e93349af254bcc7e05537c91befb6ef219654f60d29abd837e41ea4baa942a46383d92c5282625a8fc6c56d1b847176a132a6d4ce3be6

\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe

MD5 da737990f1e57863620038a5e4f8e81b
SHA1 1af5f8dbeeb0a7a1ca284bdc1a31fe3129a779bb
SHA256 05e188f9b508c440b0327c421fdb035730b910509bd736a215ee23a95a120274
SHA512 529fcf4a98ee851e1b7e93349af254bcc7e05537c91befb6ef219654f60d29abd837e41ea4baa942a46383d92c5282625a8fc6c56d1b847176a132a6d4ce3be6

memory/1740-98-0x00000000029D0000-0x00000000029D1000-memory.dmp

memory/1740-97-0x0000000002B30000-0x0000000002B31000-memory.dmp

memory/1740-96-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

memory/1740-95-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

memory/1740-94-0x0000000002A00000-0x0000000002A02000-memory.dmp

memory/1740-99-0x00000000010B0000-0x00000000015B3000-memory.dmp

memory/1740-103-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1740-102-0x0000000002C80000-0x0000000002C81000-memory.dmp

memory/1740-101-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/1740-100-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1740-104-0x0000000000A00000-0x0000000000F03000-memory.dmp

memory/1740-105-0x0000000003100000-0x0000000003101000-memory.dmp

memory/1740-106-0x0000000003210000-0x0000000003211000-memory.dmp

memory/1740-109-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/1740-108-0x00000000029F0000-0x00000000029F1000-memory.dmp

memory/1740-107-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/1740-110-0x0000000002B20000-0x0000000002B21000-memory.dmp

memory/1740-111-0x0000000003230000-0x0000000003231000-memory.dmp

memory/1740-112-0x0000000071B71000-0x0000000071B73000-memory.dmp

memory/1740-113-0x0000000071A01000-0x0000000071A03000-memory.dmp

memory/1740-114-0x0000000002C90000-0x0000000002C91000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-06 10:36

Reported

2022-02-06 10:39

Platform

win10v2004-en-20220112

Max time kernel

161s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A

suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

suricata

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\1\2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\1\2.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\1\2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\1\2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\1\2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\1\2.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4124" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006561" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.846128" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3892" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887938527538190" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\1\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\1\2.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\1\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\1\2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 3532 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 3532 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 1340 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2836 wrote to memory of 496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2836 wrote to memory of 496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3532 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 3532 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 3532 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 3988 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Windows\SysWOW64\cscript.exe
PID 3988 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Windows\SysWOW64\cscript.exe
PID 3988 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Windows\SysWOW64\cscript.exe
PID 3988 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\1\2.exe
PID 3988 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\1\2.exe
PID 3988 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\1\2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe

"C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe"

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe" >> NUL

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"

C:\Windows\SysWOW64\cscript.exe

"cscript.exe" pub2.vbs //e:vbscript //NOLOGO

C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\1\2.exe

"C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\1\2.exe" /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 settings-win.data.microsoft.com udp
NL 51.124.78.146:443 settings-win.data.microsoft.com tcp
NL 51.124.78.146:443 settings-win.data.microsoft.com tcp
NL 51.124.78.146:443 settings-win.data.microsoft.com tcp
US 40.126.26.135:443 tcp
NL 51.124.78.146:443 settings-win.data.microsoft.com tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
IE 51.104.162.50:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 www.rationalowl.com udp
KR 211.239.150.87:443 www.rationalowl.com tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 nkoopw13.top udp
US 8.8.8.8:53 nkoopw13.top udp
US 8.8.8.8:53 nkoopw13.top udp
US 8.8.8.8:53 nkoopw13.top udp
US 8.8.8.8:53 nkoopw13.top udp
US 8.8.8.8:53 nkoopw13.top udp
US 8.8.8.8:53 nkoopw13.top udp
US 8.8.8.8:53 nkoopw13.top udp
US 8.8.8.8:53 nkoopw13.top udp
US 8.8.8.8:53 nkoopw13.top udp
US 8.8.8.8:53 nkoopw13.top udp
US 8.8.8.8:53 nkoopw13.top udp
US 8.8.8.8:53 nkoopw13.top udp
US 8.8.8.8:53 nkoopw13.top udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 8f2a62627b2f078181b1c94666988121
SHA1 5b87477abdde9bf1bf7f5db877a0a11ef805099d
SHA256 fcc0a27322e855794eff2c2e5598647dca7cf095ece49dbdd5676f4a18c6c66e
SHA512 93cdae1cb29bb680be616f795c5a01e73b99b8dc89e62773a3897ca7a773f4ea8bcaf218c92d6e39498e89263dc4e7ff798984fccb4879312dfb32c5c94b30d4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 8f2a62627b2f078181b1c94666988121
SHA1 5b87477abdde9bf1bf7f5db877a0a11ef805099d
SHA256 fcc0a27322e855794eff2c2e5598647dca7cf095ece49dbdd5676f4a18c6c66e
SHA512 93cdae1cb29bb680be616f795c5a01e73b99b8dc89e62773a3897ca7a773f4ea8bcaf218c92d6e39498e89263dc4e7ff798984fccb4879312dfb32c5c94b30d4

memory/1340-170-0x0000000000AE0000-0x0000000000AED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 6e0d07af48858d4cc0ff85d1b26040ce
SHA1 fa48158e9d9b1421da0ff2ab618de1290f7e2591
SHA256 f2c635105e9c8e1483af6beae876097a484ea417cb808c45c9f69e61298043af
SHA512 98c3bb4a3a3425b94b7aa290d8a0c40486dacb805553781d82004e8b2bdf9f2bc5f311c08ab8813dc9a6c98da9aea4b48a6cb4e099beda47dd3d8343f3503e39

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 6e0d07af48858d4cc0ff85d1b26040ce
SHA1 fa48158e9d9b1421da0ff2ab618de1290f7e2591
SHA256 f2c635105e9c8e1483af6beae876097a484ea417cb808c45c9f69e61298043af
SHA512 98c3bb4a3a3425b94b7aa290d8a0c40486dacb805553781d82004e8b2bdf9f2bc5f311c08ab8813dc9a6c98da9aea4b48a6cb4e099beda47dd3d8343f3503e39

C:\Users\Admin\AppData\Local\Temp\nsvD626.tmp\Sibuia.dll

MD5 6a3c3c97e92a5949f88311e80268bbb5
SHA1 48c11e3f694b468479bc2c978749d27b5d03faa2
SHA256 7938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9
SHA512 6141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693

C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\SibClr.dll

MD5 5ea6d2ffeb1be3fc0571961d0c4c2b5f
SHA1 902dfe9ae735c83fb0cb46b3e110bbf2aa80209e
SHA256 508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222
SHA512 e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585

memory/3988-178-0x000000000EB40000-0x000000000EB52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\SibClr.dll

MD5 5ea6d2ffeb1be3fc0571961d0c4c2b5f
SHA1 902dfe9ae735c83fb0cb46b3e110bbf2aa80209e
SHA256 508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222
SHA512 e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585

memory/3988-180-0x0000000010E11000-0x0000000010E12000-memory.dmp

memory/3988-179-0x0000000010E10000-0x0000000010E11000-memory.dmp

memory/3988-181-0x0000000010E13000-0x0000000010E14000-memory.dmp

memory/3988-182-0x0000000010E14000-0x0000000010E16000-memory.dmp

memory/3988-183-0x0000000010E16000-0x0000000010E17000-memory.dmp

memory/3988-184-0x0000000010C80000-0x0000000010D3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\SibCa.dll

MD5 24aefaf7250babe29b12ab17587ec1ee
SHA1 5aa46f21a02f58713bc25d4e3018b89a8dd6eada
SHA256 1cd6e4f5776956f27875731675694983c9ff8820b4f5f5b5a0073fc24d8f0f7e
SHA512 09134802303a44e145e73c5f8a938239e5ba6778ecc67e650c6223c3d132df48c5552cb39946d8d16deb2e6fe29c081fe89fbef4775f3aa5cf57fdee2b92d38a

C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\SibCa.dll

MD5 24aefaf7250babe29b12ab17587ec1ee
SHA1 5aa46f21a02f58713bc25d4e3018b89a8dd6eada
SHA256 1cd6e4f5776956f27875731675694983c9ff8820b4f5f5b5a0073fc24d8f0f7e
SHA512 09134802303a44e145e73c5f8a938239e5ba6778ecc67e650c6223c3d132df48c5552cb39946d8d16deb2e6fe29c081fe89fbef4775f3aa5cf57fdee2b92d38a

memory/3988-187-0x0000000010D60000-0x0000000010D68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\0\pub2.vbs

MD5 0bd4f555971d265433425fe4fb9adf46
SHA1 b6eed2aaaa222a07e048180e72ab51455cac02ab
SHA256 1306304bb08fa2f043811a319b6178fd20dfd93c2d63265df061bedcc439b66b
SHA512 bde9ef524261d22f5bd83587536d0cf79ff772318ebe8b38a6d0431864efd9fc5016e767f020d9546a569a45e5b676dc52357f6db0b39e8b6c95785608b05d5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 54e9306f95f32e50ccd58af19753d929
SHA1 eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA256 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA512 8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 c45b40615dbfbf26c82cfb8c7fa4d120
SHA1 0a16767bf9a253a323bd5713fbc8bc8ccc390b59
SHA256 20eba448c45e9f832984df6327022407e069a5b138d98a6096217b22b4b30f22
SHA512 a3934179b202154ded54adfa5e09c4ddc1f5d62745e7e45e32697741573c25f49152884b48122007f22ccc3113d03237cdb0756a3f94f6a8643bd6ef9d68dfb5

C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\1\2.exe

MD5 da737990f1e57863620038a5e4f8e81b
SHA1 1af5f8dbeeb0a7a1ca284bdc1a31fe3129a779bb
SHA256 05e188f9b508c440b0327c421fdb035730b910509bd736a215ee23a95a120274
SHA512 529fcf4a98ee851e1b7e93349af254bcc7e05537c91befb6ef219654f60d29abd837e41ea4baa942a46383d92c5282625a8fc6c56d1b847176a132a6d4ce3be6

C:\Users\Admin\AppData\Local\Temp\sibD81B.tmp\1\2.exe

MD5 da737990f1e57863620038a5e4f8e81b
SHA1 1af5f8dbeeb0a7a1ca284bdc1a31fe3129a779bb
SHA256 05e188f9b508c440b0327c421fdb035730b910509bd736a215ee23a95a120274
SHA512 529fcf4a98ee851e1b7e93349af254bcc7e05537c91befb6ef219654f60d29abd837e41ea4baa942a46383d92c5282625a8fc6c56d1b847176a132a6d4ce3be6

memory/2804-194-0x0000000004A50000-0x0000000004A51000-memory.dmp

memory/2804-193-0x0000000004A40000-0x0000000004A41000-memory.dmp

memory/2804-195-0x0000000004A60000-0x0000000004A61000-memory.dmp

memory/2804-196-0x0000000000F30000-0x0000000001433000-memory.dmp

memory/2804-198-0x0000000004A70000-0x0000000004A71000-memory.dmp

memory/2804-197-0x0000000004A20000-0x0000000004A21000-memory.dmp

memory/2804-199-0x0000000004A10000-0x0000000004A11000-memory.dmp

memory/2804-201-0x0000000004A90000-0x0000000004A91000-memory.dmp

memory/2804-200-0x0000000004A80000-0x0000000004A81000-memory.dmp

memory/2804-202-0x0000000004A30000-0x0000000004A31000-memory.dmp