Malware Analysis Report

2024-10-23 17:19

Sample ID 240207-bda7eschfl
Target 0daebde971a5f21690f26c1ed8bf8813.bin
SHA256 36a393fe2f9dc53f5b094ca2da3e76621e7b5c2f9ef524f76a1b7d2609041cea
Tags
smokeloader backdoor persistence trojan upx povertystealer bootkit discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

36a393fe2f9dc53f5b094ca2da3e76621e7b5c2f9ef524f76a1b7d2609041cea

Threat Level: Known bad

The file 0daebde971a5f21690f26c1ed8bf8813.bin was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor persistence trojan upx povertystealer bootkit discovery spyware stealer

Detect Poverty Stealer Payload

SmokeLoader

Poverty Stealer

Downloads MZ/PE file

UPX packed file

Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-07 01:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-07 01:01

Reported

2024-02-07 01:03

Platform

win7-20231215-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8804.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8804.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8804.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\8804.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2244 set thread context of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8804.exe C:\Users\Admin\AppData\Local\Temp\8804.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1164 wrote to memory of 2244 N/A N/A C:\Users\Admin\AppData\Local\Temp\8804.exe
PID 1164 wrote to memory of 2244 N/A N/A C:\Users\Admin\AppData\Local\Temp\8804.exe
PID 1164 wrote to memory of 2244 N/A N/A C:\Users\Admin\AppData\Local\Temp\8804.exe
PID 1164 wrote to memory of 2244 N/A N/A C:\Users\Admin\AppData\Local\Temp\8804.exe
PID 2244 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8804.exe C:\Users\Admin\AppData\Local\Temp\8804.exe
PID 2244 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8804.exe C:\Users\Admin\AppData\Local\Temp\8804.exe
PID 2244 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8804.exe C:\Users\Admin\AppData\Local\Temp\8804.exe
PID 2244 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8804.exe C:\Users\Admin\AppData\Local\Temp\8804.exe
PID 2244 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8804.exe C:\Users\Admin\AppData\Local\Temp\8804.exe
PID 2244 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8804.exe C:\Users\Admin\AppData\Local\Temp\8804.exe
PID 2244 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8804.exe C:\Users\Admin\AppData\Local\Temp\8804.exe
PID 2244 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8804.exe C:\Users\Admin\AppData\Local\Temp\8804.exe
PID 2244 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\8804.exe C:\Users\Admin\AppData\Local\Temp\8804.exe
PID 1164 wrote to memory of 1412 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1164 wrote to memory of 1412 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1164 wrote to memory of 1412 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1164 wrote to memory of 1412 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1164 wrote to memory of 1412 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1412 wrote to memory of 2076 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1412 wrote to memory of 2076 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1412 wrote to memory of 2076 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1412 wrote to memory of 2076 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1412 wrote to memory of 2076 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1412 wrote to memory of 2076 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1412 wrote to memory of 2076 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe

"C:\Users\Admin\AppData\Local\Temp\7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe"

C:\Users\Admin\AppData\Local\Temp\8804.exe

C:\Users\Admin\AppData\Local\Temp\8804.exe

C:\Users\Admin\AppData\Local\Temp\8804.exe

C:\Users\Admin\AppData\Local\Temp\8804.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9426.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\9426.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
N/A 127.0.0.1:49225 tcp
NL 212.8.243.229:9001 tcp
DE 185.220.101.1:30001 tcp
DE 185.220.101.20:10020 tcp
US 108.39.229.147:443 tcp
FR 145.239.158.234:9001 tcp
US 128.31.0.39:9101 tcp
NL 77.250.227.202:7002 tcp
US 154.35.175.225:443 tcp
FR 45.14.150.182:9001 tcp
SE 171.25.193.9:80 tcp
CA 192.0.128.86:9001 tcp
GB 212.38.189.186:9001 tcp
US 38.154.239.242:443 tcp
DE 85.214.202.158:9001 tcp
ES 82.223.165.239:443 tcp
PT 82.155.72.223:443 tcp

Files

memory/2968-1-0x00000000004E0000-0x00000000005E0000-memory.dmp

memory/2968-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2968-3-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1164-4-0x0000000002DB0000-0x0000000002DC6000-memory.dmp

memory/2968-5-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8804.exe

MD5 151e9ec4f0355d2f131b871671bd5e20
SHA1 50992f712b281db70518e6d404084e26dcd98b98
SHA256 a1480e23bd2a89b188fb01138ef2f54130f2dc41ce85ff9319ab7f15471b0011
SHA512 18a2fa6e9c97281328de819126dccb6cc8576e11ea11a8faba629da58e724040427c7d941ce0f935948195c30da6d60a6873d7e3e9613eba7df42bde1a3aba1f

memory/2244-17-0x0000000002070000-0x0000000002228000-memory.dmp

memory/2244-18-0x0000000002070000-0x0000000002228000-memory.dmp

memory/2784-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2244-21-0x0000000002230000-0x00000000023E7000-memory.dmp

memory/2784-24-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2784-28-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2784-27-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2784-29-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2784-30-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2784-31-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9426.dll

MD5 b019a088041eb55df8a7482338ea240a
SHA1 9d4789657cfc50ef5d5d5e6899c89de0119f8ea6
SHA256 c994bc26c7cc7a003ac3120415cff033b912c66939ed3b09a9683d20a47b0dda
SHA512 1fdaf714398b82d3bde85ee3264200c8b9116f40b4f33a3b96a394ccdecc5a308cb671c634243cc09247f5594d9c78552c751e281c0531ae4f2e16b38bf37b8f

memory/2076-39-0x00000000022D0000-0x0000000002481000-memory.dmp

memory/2076-41-0x0000000000170000-0x0000000000176000-memory.dmp

memory/2076-40-0x00000000022D0000-0x0000000002481000-memory.dmp

memory/2784-43-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2076-45-0x0000000002630000-0x000000000274C000-memory.dmp

memory/2076-46-0x0000000002750000-0x000000000284F000-memory.dmp

memory/2076-49-0x0000000002750000-0x000000000284F000-memory.dmp

memory/2784-50-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2076-51-0x00000000022D0000-0x0000000002481000-memory.dmp

memory/2076-53-0x0000000002750000-0x000000000284F000-memory.dmp

memory/2784-52-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2076-54-0x0000000002850000-0x00000000035EE000-memory.dmp

memory/2076-56-0x00000000035F0000-0x00000000036E3000-memory.dmp

memory/2784-57-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2076-58-0x00000000036F0000-0x00000000037E1000-memory.dmp

memory/2076-61-0x00000000036F0000-0x00000000037E1000-memory.dmp

memory/2076-62-0x0000000000110000-0x0000000000122000-memory.dmp

memory/2076-63-0x0000000051300000-0x0000000051351000-memory.dmp

memory/2784-68-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2784-69-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2784-70-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 7d6f1ed9efe0638df92322164bb90168
SHA1 c265075b9b813be151045a23d5bf095378bb7936
SHA256 eac223187c982e7aa31211526ca1e3991f24c017e06e4fd99b783a8bd6a90fd1
SHA512 4d6059674967afa889b3929576cb5ac5a917cb71f7594962deda8222517f0d43a01956add4ca473e3a7b5dde6c45576a514b7b91ce7da03c8cff0ea3e5145e48

memory/2784-82-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2784-83-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 1c052a489fd2559d65d308a9195ddccc
SHA1 366f6d911adf94f3e99780ee6f46c348643d817f
SHA256 9609eeba94998fb2ce472957a859495dd819433da1a7d399aff807e0f19c985d
SHA512 b6d19d29adee77d5bba3fb0d7eeaeb991af2a9a7a323663b897b2bd0dd7e80ebfee9ec636e909f62f3440f5e4d2bdde2c1d4bccfe9c91a21f38943e021b460c9

memory/2784-90-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2784-94-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2784-95-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2784-96-0x0000000000400000-0x0000000000848000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-07 01:01

Reported

2024-02-07 01:03

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe"

Signatures

Detect Poverty Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

Poverty Stealer

stealer povertystealer

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\847.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\F117.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\55AF.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5372 set thread context of 4292 N/A C:\Users\Admin\AppData\Local\Temp\F117.exe C:\Users\Admin\AppData\Local\Temp\F117.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H9MJJ.tmp\10F3.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3428 wrote to memory of 5372 N/A N/A C:\Users\Admin\AppData\Local\Temp\F117.exe
PID 3428 wrote to memory of 5372 N/A N/A C:\Users\Admin\AppData\Local\Temp\F117.exe
PID 3428 wrote to memory of 5372 N/A N/A C:\Users\Admin\AppData\Local\Temp\F117.exe
PID 5372 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\F117.exe C:\Users\Admin\AppData\Local\Temp\F117.exe
PID 5372 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\F117.exe C:\Users\Admin\AppData\Local\Temp\F117.exe
PID 5372 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\F117.exe C:\Users\Admin\AppData\Local\Temp\F117.exe
PID 5372 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\F117.exe C:\Users\Admin\AppData\Local\Temp\F117.exe
PID 5372 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\F117.exe C:\Users\Admin\AppData\Local\Temp\F117.exe
PID 5372 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\F117.exe C:\Users\Admin\AppData\Local\Temp\F117.exe
PID 5372 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\F117.exe C:\Users\Admin\AppData\Local\Temp\F117.exe
PID 5372 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\F117.exe C:\Users\Admin\AppData\Local\Temp\F117.exe
PID 3428 wrote to memory of 2720 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3428 wrote to memory of 2720 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2720 wrote to memory of 2828 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2720 wrote to memory of 2828 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2720 wrote to memory of 2828 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3428 wrote to memory of 3820 N/A N/A C:\Users\Admin\AppData\Local\Temp\55AF.exe
PID 3428 wrote to memory of 3820 N/A N/A C:\Users\Admin\AppData\Local\Temp\55AF.exe
PID 3428 wrote to memory of 3820 N/A N/A C:\Users\Admin\AppData\Local\Temp\55AF.exe
PID 3428 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\D7B1.exe
PID 3428 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\D7B1.exe
PID 3428 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\D7B1.exe
PID 3428 wrote to memory of 3872 N/A N/A C:\Users\Admin\AppData\Local\Temp\847.exe
PID 3428 wrote to memory of 3872 N/A N/A C:\Users\Admin\AppData\Local\Temp\847.exe
PID 3428 wrote to memory of 3872 N/A N/A C:\Users\Admin\AppData\Local\Temp\847.exe
PID 3872 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\847.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\847.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\847.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
PID 4772 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
PID 4772 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
PID 1920 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
PID 1920 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
PID 1920 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
PID 3428 wrote to memory of 5752 N/A N/A C:\Users\Admin\AppData\Local\Temp\10F3.exe
PID 3428 wrote to memory of 5752 N/A N/A C:\Users\Admin\AppData\Local\Temp\10F3.exe
PID 3428 wrote to memory of 5752 N/A N/A C:\Users\Admin\AppData\Local\Temp\10F3.exe
PID 5752 wrote to memory of 5656 N/A C:\Users\Admin\AppData\Local\Temp\10F3.exe C:\Users\Admin\AppData\Local\Temp\is-H9MJJ.tmp\10F3.tmp
PID 5752 wrote to memory of 5656 N/A C:\Users\Admin\AppData\Local\Temp\10F3.exe C:\Users\Admin\AppData\Local\Temp\is-H9MJJ.tmp\10F3.tmp
PID 5752 wrote to memory of 5656 N/A C:\Users\Admin\AppData\Local\Temp\10F3.exe C:\Users\Admin\AppData\Local\Temp\is-H9MJJ.tmp\10F3.tmp
PID 5656 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\is-H9MJJ.tmp\10F3.tmp C:\Users\Admin\AppData\Local\BurnAware Extension\burnawareext.exe
PID 5656 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\is-H9MJJ.tmp\10F3.tmp C:\Users\Admin\AppData\Local\BurnAware Extension\burnawareext.exe
PID 5656 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\is-H9MJJ.tmp\10F3.tmp C:\Users\Admin\AppData\Local\BurnAware Extension\burnawareext.exe
PID 5656 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\is-H9MJJ.tmp\10F3.tmp C:\Users\Admin\AppData\Local\BurnAware Extension\burnawareext.exe
PID 5656 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\is-H9MJJ.tmp\10F3.tmp C:\Users\Admin\AppData\Local\BurnAware Extension\burnawareext.exe
PID 5656 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\is-H9MJJ.tmp\10F3.tmp C:\Users\Admin\AppData\Local\BurnAware Extension\burnawareext.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe

"C:\Users\Admin\AppData\Local\Temp\7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe"

C:\Users\Admin\AppData\Local\Temp\F117.exe

C:\Users\Admin\AppData\Local\Temp\F117.exe

C:\Users\Admin\AppData\Local\Temp\F117.exe

C:\Users\Admin\AppData\Local\Temp\F117.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4B5D.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\4B5D.dll

C:\Users\Admin\AppData\Local\Temp\55AF.exe

C:\Users\Admin\AppData\Local\Temp\55AF.exe

C:\Users\Admin\AppData\Local\Temp\D7B1.exe

C:\Users\Admin\AppData\Local\Temp\D7B1.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1372 -ip 1372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1372 -ip 1372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 1060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 1040

C:\Users\Admin\AppData\Local\Temp\847.exe

C:\Users\Admin\AppData\Local\Temp\847.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

work.exe -priverdD

C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe"

C:\Users\Admin\AppData\Local\Temp\10F3.exe

C:\Users\Admin\AppData\Local\Temp\10F3.exe

C:\Users\Admin\AppData\Local\Temp\is-H9MJJ.tmp\10F3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-H9MJJ.tmp\10F3.tmp" /SL5="$D022C,7139316,54272,C:\Users\Admin\AppData\Local\Temp\10F3.exe"

C:\Users\Admin\AppData\Local\BurnAware Extension\burnawareext.exe

"C:\Users\Admin\AppData\Local\BurnAware Extension\burnawareext.exe" -i

C:\Users\Admin\AppData\Local\BurnAware Extension\burnawareext.exe

"C:\Users\Admin\AppData\Local\BurnAware Extension\burnawareext.exe" -s

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
MD 176.123.3.222:9001 tcp
CA 24.150.204.225:9003 tcp
DE 185.220.101.198:10198 tcp
N/A 127.0.0.1:52927 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
DE 185.220.101.23:30023 tcp
NL 45.66.33.45:443 tcp
DE 217.160.255.217:443 tcp
US 104.149.129.210:443 tcp
DE 193.23.244.244:443 tcp
US 8.8.8.8:53 244.244.23.193.in-addr.arpa udp
FR 212.47.227.71:9001 tcp
RU 95.84.140.36:9090 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
MD 178.17.174.10:443 tcp
US 204.13.164.118:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 118.164.13.204.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 gemcreedarticulateod.shop udp
US 104.21.80.171:443 gemcreedarticulateod.shop tcp
US 8.8.8.8:53 secretionsuitcasenioise.shop udp
US 172.67.213.168:443 secretionsuitcasenioise.shop tcp
US 8.8.8.8:53 171.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 claimconcessionrebe.shop udp
US 172.67.199.120:443 claimconcessionrebe.shop tcp
US 8.8.8.8:53 liabilityarrangemenyit.shop udp
US 104.21.83.220:443 liabilityarrangemenyit.shop tcp
US 8.8.8.8:53 168.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 120.199.67.172.in-addr.arpa udp
US 8.8.8.8:53 220.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 inox.sunaviat.com udp
US 172.67.221.35:80 inox.sunaviat.com tcp
US 8.8.8.8:53 35.221.67.172.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 66.85.128.218:443 tcp
GB 88.80.184.11:8443 tcp
US 8.8.8.8:53 11.184.80.88.in-addr.arpa udp
US 8.8.8.8:53 218.128.85.66.in-addr.arpa udp
DE 146.70.169.164:2227 tcp
US 8.8.8.8:53 164.169.70.146.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp

Files

memory/5380-1-0x0000000000470000-0x0000000000570000-memory.dmp

memory/5380-3-0x0000000000400000-0x000000000045D000-memory.dmp

memory/5380-2-0x00000000021A0000-0x00000000021AB000-memory.dmp

memory/3428-4-0x0000000002E10000-0x0000000002E26000-memory.dmp

memory/5380-5-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F117.exe

MD5 335e1d6a6f20f447934142ccd16c528b
SHA1 72ee048cd38ea449b63fae2fdf1915a3e521e14b
SHA256 039fb0671f8470ac56ecdaceb041ff4e28c21ecb5643a3667b9c304bc0804b6f
SHA512 2f849ec436a5583dbd1fd42637ff860d8b347ae782457706c8e4d1307ca902052d01ee23563bb6b593251a88858897566b54f6853d47786ba1fdd7c9f711c93d

C:\Users\Admin\AppData\Local\Temp\F117.exe

MD5 724909a5e9b0825c658a13c61e25a376
SHA1 e42e13c485aeab181125e49b710ff93c899d01b0
SHA256 fb708085e5064a7ce7a329c2bb06b3e1664ef3f7d437ca624026b3ac8b68ed85
SHA512 d11ea4af3271e8e731b0adb2e91be7a768fab052d99b4b9fd76bc5d6e1be9b2f3476df1943b3f530efc0a89c3d430fba554288ca28fe22a3fafec76a267b9f46

memory/4292-18-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F117.exe

MD5 b9cb37e922db4ac956e8d1344be176b7
SHA1 c0f47eb8367dd56d99ffb0b04481cfdaba9eade4
SHA256 1aa7e77a59986394b6a12cf1bfeb773419c7cda4c5916ef0cb1ea00f1f56ecdb
SHA512 97d99e67dce0d6bae4051f244ac7c52defbb47f5804332b3c75541a740798153bc8f06b992b104145adffee19275dbd1d72cb8ff69f5bb490aaf88d7b6508c45

memory/4292-20-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4292-21-0x0000000000400000-0x0000000000848000-memory.dmp

memory/5372-17-0x00000000024F0000-0x00000000026A7000-memory.dmp

memory/5372-16-0x0000000002330000-0x00000000024E9000-memory.dmp

memory/4292-22-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4292-23-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4292-24-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4292-29-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4292-30-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4292-31-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4B5D.dll

MD5 a8261065c05d0aeb494ebf8cb44e5e57
SHA1 0cebd015efbeea945ce46d08b06a874d916256f2
SHA256 b0876695d59065b5414e1c13c9b5567e764af839954c38d0c5f2a8d12150ad83
SHA512 49c90fa2fa57a3aafa3aecdb172808da008db2aec0757c6e9780bfd93e1910b78f5d719bc125243af4b7639f58f323165c12bb325dc8b69875f08b8aa5087b55

memory/2828-36-0x0000000002370000-0x0000000002521000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4B5D.dll

MD5 cb3db514cdeccc404342a33a5c0a2f31
SHA1 b868a7a129142363ab99628465e5e921a20bb5d8
SHA256 366f0b9927443fef23db0a4ba6fb2e2dae3b20176ef47888c33c866efb5dbf36
SHA512 7e6e390ef809f5715b76bf34b56f72083e907e62455fd34c64089c48d217c19bb4202677aaac5d698b66f713415f32420e432986097af3a35608f0990231307b

C:\Users\Admin\AppData\Local\Temp\4B5D.dll

MD5 b019a088041eb55df8a7482338ea240a
SHA1 9d4789657cfc50ef5d5d5e6899c89de0119f8ea6
SHA256 c994bc26c7cc7a003ac3120415cff033b912c66939ed3b09a9683d20a47b0dda
SHA512 1fdaf714398b82d3bde85ee3264200c8b9116f40b4f33a3b96a394ccdecc5a308cb671c634243cc09247f5594d9c78552c751e281c0531ae4f2e16b38bf37b8f

memory/2828-37-0x0000000002370000-0x0000000002521000-memory.dmp

memory/2828-39-0x00000000008D0000-0x00000000008D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\55AF.exe

MD5 1996a23c7c764a77ccacf5808fec23b0
SHA1 5a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256 e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23

memory/2828-44-0x0000000002240000-0x000000000235C000-memory.dmp

memory/2828-45-0x0000000002800000-0x00000000028FF000-memory.dmp

memory/2828-48-0x0000000002800000-0x00000000028FF000-memory.dmp

memory/4292-49-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2828-50-0x0000000002370000-0x0000000002521000-memory.dmp

memory/4292-51-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2828-54-0x0000000002900000-0x000000000369E000-memory.dmp

memory/2828-53-0x0000000002800000-0x00000000028FF000-memory.dmp

memory/2828-55-0x00000000036A0000-0x0000000003793000-memory.dmp

memory/2828-59-0x00000000037A0000-0x0000000003891000-memory.dmp

memory/2828-56-0x00000000037A0000-0x0000000003891000-memory.dmp

memory/2828-60-0x00000000004B0000-0x00000000004C2000-memory.dmp

memory/2828-61-0x0000000051300000-0x0000000051351000-memory.dmp

memory/4292-66-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D7B1.exe

MD5 6cf931438be174a8b69d0e7e91c4fed1
SHA1 97707a5c7c3f7eea2cc2c20d6842c1501a9ce9eb
SHA256 03c363e860cf51eab30918b771bdfef84afc3c3e34d674114d56ef63b0411fef
SHA512 95fc988c87c31104e8680d3d918bf3ee8075a1b7e280665c1dff2789594c7343ca47552ed601e472d1578ef6cf7a2bcf624af805da6067429f54cb4b7b6ef11c

memory/1372-70-0x00000000000F0000-0x00000000007F5000-memory.dmp

memory/1372-76-0x0000000002800000-0x0000000002801000-memory.dmp

memory/1372-75-0x0000000002800000-0x0000000002801000-memory.dmp

memory/1372-74-0x0000000002800000-0x0000000002801000-memory.dmp

memory/1372-73-0x00000000029B0000-0x00000000029B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D7B1.exe

MD5 01211bf1c2c1a5f57e140a2248066f2f
SHA1 093b50d0cceea3ff5fab3c8c5f5cc47bb0c3e65d
SHA256 7a76f753b777e58acb1d8736f0e80f9049e9504358840c3f329d319256ddb5fd
SHA512 9150cf77059047884261eb8bcae1c451e2214a23eae59d6667bd303cc577a5a8c4938d06b2c8d7922d2a14e922cbf9fa966e7039d6ca6cf38202de0e6d0b0152

memory/4292-79-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4292-80-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\847.exe

MD5 b114ea01575abef1a314e81a288956b0
SHA1 6d8cce5a035a8cb9d7c0ea3d32522e928c2d66b6
SHA256 4e3c99af58dd764465cd55366bc0f8bc091c676ccc4d532b63d18d9518bc074d
SHA512 f11036781b9ccc078ad5737680805b614d2bdf999a2c05c424170eb2f53e56d7bda939287451ed7d4ecede08544f2df51deb463bb265174947807e868c9e008b

C:\Users\Admin\AppData\Local\Temp\847.exe

MD5 12a6fc1a995d4d1846a6335e20abaa70
SHA1 4913f5b0f2545b207ef512975a1a46cd6fa6a1b3
SHA256 711ace661ef25b320ae33d1b7a9d717e86894eefdf723b16abcd65a549d6d6e7
SHA512 69513f40bb2b64b4d28285ebc335458b69e382a3cd43c81b6ae71c9dd1bae04ed42e909065fbed47e28e23ac07b7b23bfaff33983dc1fd2a8b3d2df71b030a07

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

MD5 ff59d999beb970447667695ce3273f75
SHA1 316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512 d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

MD5 112c6c562611bac65c97a65313e27ca2
SHA1 97d02428ba2f25d2b19faebf6f4deb4bc9351cab
SHA256 c5cdc4abcc81cee13568d5116fad10b52455964eac68ecd6709fccc5e7a3c9a7
SHA512 887cc6ef4f9d585757057d7374689182f95f22eed741828f6978662a1d276ae4ebf107d345502d95c53f9d61d562c7e270442a7546b40a227d647eaecf17b4a3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

MD5 d1939c3877120e55b826f9e58e28e96c
SHA1 c4572e70ae6bd93dbb95d068bb2744a858ff70e6
SHA256 5a41cf49b69091b6335d2b744a8058824bcb7af1efe383f19f9b32c698c8a48f
SHA512 d5baf5c2feee552354b5492a2f2309bddd09e1a7940a63d0c16eb2176a43ba655452bac8b68a002d1f30bf798b9d6b2830c688ace9b9b3ffabf57dae09a8d892

C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe

MD5 38d71977d7eb1451e0497d888b8b40d1
SHA1 12abfe0a3074280d31afe0dd66066bbc550bfb50
SHA256 d720711e2a7717437c0116adeeb382ef61a717bc91faa90a0e06a63f9d7c763c
SHA512 d3150d7ba767bd1a455b0875ab70a1cc436e59dd2f88d40941f3f4605d44e72e82c106381d2706e01528159d411d3f6d3b0964bb7de58d3a26582e353d3f25b9

memory/5064-107-0x00000000005F0000-0x000000000095C000-memory.dmp

memory/5064-108-0x0000000000E30000-0x0000000000E31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 cd35620254d58c7c83167df00c69471d
SHA1 e8ab918ab50311b01671b9399306c9ad554fad8d
SHA256 7d7d8f3cedcd040813b3a86f565fa4bef8a9b57245c7f22d57c8980be6054346
SHA512 d4a4571863a401111cd83b86887e1675e6379e4b991d2dda65237bbb3c55eef1e6d73e56dc7762eae0a766e78dcce9d8a1565e742369bfe3f8b1a08479839f76

C:\Users\Admin\AppData\Local\Temp\10F3.exe

MD5 51249e5b4304127fa304051576ba8295
SHA1 a3f7fb4191aeabc9644663c0fa18b2cbb74b9669
SHA256 256e486a868cd9e83d1dde1f169529089fa43b23c30ef1174e7fdc729d1639b5
SHA512 75a53ca2498de460a1975b6caf4c16406ac601d2530e9d0410c33a0f0585564caea07d18c3302f97e06ce172d0787ed3b7739ad62385f4b802a29799e38f873e

C:\Users\Admin\AppData\Local\Temp\10F3.exe

MD5 8dc49b19d6bb66485a718095483cb745
SHA1 1edc468c7a08486826f69473b8d399e803c905c5
SHA256 4d4d11f2db7449eab0ae5c1090cb898fbaad681ed994ddf3b5c57520f22622f4
SHA512 00f77bb6e6e10f456b561ebb4ee9e1a9e5be9a57e5fefacc0d6b975a588eaa351d98d131e66d864b7f92dfa87b468123c91994d4d9871e1cfa1e35c035dbb8d7

memory/5752-119-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-H9MJJ.tmp\10F3.tmp

MD5 2a0ee6d77d5c3c63d258201e80c82752
SHA1 c0123db2a89e075cfa40038b02c71b3559185fbd
SHA256 38da5fcdaa7d0a3a819c51ed66fcfac46a3de83143222bda21cf736c1d6fd0a4
SHA512 f3a2e52bcda9e7be3eeb6f2cbaf28b588e9f245c278169125bd23532730766097133cfd54c586ae15dd5b633af42416e2dae1eddf8d8c13838d63ea0bf9ff8e1

C:\Users\Admin\AppData\Local\Temp\is-H9MJJ.tmp\10F3.tmp

MD5 85ce55c7e40b385772ac457f7df2fca9
SHA1 edb6a2690a6222669fc6f567b1652ae969625d34
SHA256 6b27b2dfc6951f24162839234a9d3f14cbe8e32c454489a51c85aff4fc0d48a9
SHA512 8e4517aee48c0b3829a86e46ceb306ab889fbd033d4f712f8ea740d1484debe1749630c7ac7dd396f3dabe729d0c1b4b0c26852f0c005375345c21dd98e4ebbc

memory/5752-121-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-EM2IU.tmp\_isetup\_isdecmp.dll

MD5 3adaa386b671c2df3bae5b39dc093008
SHA1 067cf95fbdb922d81db58432c46930f86d23dded
SHA256 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512 bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

C:\Users\Admin\AppData\Local\Temp\is-EM2IU.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/5656-132-0x0000000000660000-0x0000000000661000-memory.dmp

memory/5064-177-0x00000000005F0000-0x000000000095C000-memory.dmp

C:\Users\Admin\AppData\Local\BurnAware Extension\burnawareext.exe

MD5 db869d0402214f1e4770179a2482122d
SHA1 b03a37dd2e228ee99232509a99570702881b47c0
SHA256 88c9335634732c4fbc261444257c1f2e558ae7a5812a8e7b16dfae959620ee71
SHA512 c63ddc9f888e6bd0639c8623af8ab19e67624937f7654ef331be2c7c4b022e9d0ae142acae501fb949b1506725ff238f71215d2967e04bfe41064026abdb3917

memory/2016-185-0x0000000000400000-0x00000000006BE000-memory.dmp

C:\Users\Admin\AppData\Local\BurnAware Extension\burnawareext.exe

MD5 ed3e3b32c3a106033a3964bc203cba66
SHA1 4784d8d8fed888f484306b64a0c025f2a16d4ec8
SHA256 bf56c48b46031a92ba98a21dd828f1ba165333152a8e4ba0f5804c48482a1506
SHA512 6ec10fb133f38daad4beabbd1d0fd99c30532232fb189defbe913457fe244623fed2b2da40b306bbb6559de6fb0cbbfca00547009dc7bc9ac0e197fe55199d51

memory/2016-188-0x0000000000400000-0x00000000006BE000-memory.dmp

memory/1344-191-0x0000000000400000-0x00000000006BE000-memory.dmp

C:\Users\Admin\AppData\Local\BurnAware Extension\burnawareext.exe

MD5 7407427697a247462b7c3a1917837536
SHA1 b5607d7d2be55abcc277644415a24094b2712dc4
SHA256 02df7117fcee911790b14f62ac31ded04123f644f7ce42d3b1e499d7d40ddbcd
SHA512 59ef76e09c8db4149296cd7bcf55d9eaaa5647d9d34f79f6ab121ed7dd77ccac83eb5ba446945a823c89e829b7c1ae81cb2c111e8e72ee179115e012b8de3b66

memory/2016-189-0x0000000000400000-0x00000000006BE000-memory.dmp

memory/1344-193-0x0000000000400000-0x00000000006BE000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4292-196-0x0000000000400000-0x0000000000848000-memory.dmp

memory/5752-197-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5656-198-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1344-199-0x0000000000400000-0x00000000006BE000-memory.dmp

memory/5656-200-0x0000000000660000-0x0000000000661000-memory.dmp

memory/4292-201-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1344-204-0x0000000000400000-0x00000000006BE000-memory.dmp

memory/4292-205-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1344-211-0x0000000000400000-0x00000000006BE000-memory.dmp