Malware Analysis Report

2025-01-22 15:11

Sample ID 240220-ka6ctsdf9z
Target Loader.exe
SHA256 46dd45eb8ad4b41894e667075df700eba76228a047d2c01cca6c3511ec6a379a
Tags
orcus persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46dd45eb8ad4b41894e667075df700eba76228a047d2c01cca6c3511ec6a379a

Threat Level: Known bad

The file Loader.exe was found to be: Known bad.

Malicious Activity Summary

orcus persistence rat spyware stealer

Orcurs Rat Executable

Orcus

Orcus main payload

Orcus family

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-20 08:24

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-20 08:24

Reported

2024-02-20 08:25

Platform

win7-20231215-en

Max time kernel

20s

Max time network

24s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Winrar\\Data\\Winrar.exe\"" C:\Program Files\Winrar\Data\Winrar.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Winrar\Data\Winrar.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File opened for modification C:\Program Files\Winrar\Data\Winrar.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File created C:\Program Files\Winrar\Data\Winrar.exe.config C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\helppane.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\helppane.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\helppane.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\helppane.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\helppane.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Winrar\Data\Winrar.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\helppane.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\helppane.exe N/A
N/A N/A C:\Windows\helppane.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2548 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2548 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2716 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2716 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2716 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2548 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2548 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2548 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2548 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Program Files\Winrar\Data\Winrar.exe
PID 2548 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Program Files\Winrar\Data\Winrar.exe
PID 2548 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Program Files\Winrar\Data\Winrar.exe
PID 2288 wrote to memory of 1632 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Winrar\Data\Winrar.exe
PID 2288 wrote to memory of 1632 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Winrar\Data\Winrar.exe
PID 2288 wrote to memory of 1632 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Winrar\Data\Winrar.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9lzmtyxx.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FDD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5FDC.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\helppane.exe

C:\Windows\helppane.exe -Embedding

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Winrar\Data\Winrar.exe

"C:\Program Files\Winrar\Data\Winrar.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {A7F23B5B-1DF9-4195-B975-3362DCEEC340} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]

C:\Program Files\Winrar\Data\Winrar.exe

"C:\Program Files\Winrar\Data\Winrar.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Program Files\Winrar\Data\Winrar.exe" 1868 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Program Files\Winrar\Data\Winrar.exe" 1868 "/protectFile"

Network

Country Destination Domain Proto
US 8.8.8.8:53 centre-shaped.gl.at.ply.gg udp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp

Files

memory/2548-0-0x0000000000760000-0x00000000007BC000-memory.dmp

memory/2548-1-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2548-2-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

memory/2548-3-0x0000000000C30000-0x0000000000CB0000-memory.dmp

memory/2548-4-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\9lzmtyxx.cmdline

MD5 0d47e71608ec33a12b7c1d827a493ea0
SHA1 4b2794949ba60c89c4c9a88cb0afb8565089be93
SHA256 911a7dd06deeab733bf6bc3acbf0a45614943e450c7e28e70b084c63e88da38b
SHA512 7742e2ea063c11c71276fecb5124d60b0e3ff457fd0812578d657d9b41c9a40029ebc026dcd9209e4096288a097a259ca192162c3d6c29e59b10d1e81b0a3e38

\??\c:\Users\Admin\AppData\Local\Temp\9lzmtyxx.0.cs

MD5 2b14ae8b54d216abf4d228493ceca44a
SHA1 d134351498e4273e9d6391153e35416bc743adef
SHA256 4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c
SHA512 5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05

memory/2716-10-0x0000000002280000-0x0000000002300000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC5FDC.tmp

MD5 7860c7083fc8c32305f1bb071eb59c7a
SHA1 0b72b413b3927466ff20a1600fe8b2d851bec47c
SHA256 e12d7c08a49c2192fbe049d2386bca7c35dedcf5d00aedd736dad9d9bf0cccc6
SHA512 73c5f2b4e8b411df40a3fc9629632242731b6f67c6db289aa13abb86f1fbf1c053196c4a468725ba110ff04f89f7ed77ecf4c8b6e6b268802b3a7f4021e84b63

C:\Users\Admin\AppData\Local\Temp\RES5FDD.tmp

MD5 21fa2e1e50603303973e4782080cf356
SHA1 e34e3f8372bac688087f45182dcf3e777af84c49
SHA256 b39e1dd472607d028a39943eaad5e1413c460ed1201972d0278005ff2ee2a30c
SHA512 65bf811c98b5ac3e28fb8d8c09d241f161ea0c432d5fb826dddbc69487f09865cc6ec534bf3c41da02620c2575102f02abde17ff5879f0d7e7f331f2a15b8d36

C:\Users\Admin\AppData\Local\Temp\9lzmtyxx.dll

MD5 1b40f423a7a8d0c7a7aa101d8b51765f
SHA1 e9345b513a7111a4f480e8c86ba3387db4f5af96
SHA256 55c76e60664fe1303b1d4cbf2d9e2afdaf62b11ee296b3889d7106d5162670c2
SHA512 83eca5a05d5a3bef0d4416dfceebc6dfe4f7c7b5c0461138a289b9b873389b2e185f0b03fac2fe5520e7fcdf1329845d2bf4c651e0110938c8c372cdeae4654f

memory/2548-18-0x00000000023C0000-0x00000000023D6000-memory.dmp

memory/2548-20-0x00000000004B0000-0x00000000004C2000-memory.dmp

memory/2548-21-0x00000000007C0000-0x00000000007C8000-memory.dmp

memory/2548-22-0x0000000000C30000-0x0000000000CB0000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2600-32-0x0000000000960000-0x000000000096C000-memory.dmp

memory/2600-33-0x000007FEEE990000-0x000007FEEF37C000-memory.dmp

memory/2576-34-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2600-35-0x0000000001F90000-0x0000000002010000-memory.dmp

memory/2600-41-0x000007FEEE990000-0x000007FEEF37C000-memory.dmp

memory/2744-53-0x0000000000C90000-0x0000000000C9C000-memory.dmp

memory/2744-54-0x000007FEEDFA0000-0x000007FEEE98C000-memory.dmp

memory/2548-59-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

memory/2548-60-0x0000000000C30000-0x0000000000CB0000-memory.dmp

C:\Program Files\Winrar\Data\Winrar.exe

MD5 1d2d7a1a22f9058a61757de3336c86eb
SHA1 6b87f0f70bf017473fab28af9c5b1b2752540038
SHA256 46dd45eb8ad4b41894e667075df700eba76228a047d2c01cca6c3511ec6a379a
SHA512 1d8c0f439fd6d0562676ad0f251dd1c969d09e9e39653346362782efe0dfcc6a6c300966408be7eb131c4c18c80c9add0f131bbb6af2981cd5fac71d73189b0f

memory/1868-65-0x000007FEEDFA0000-0x000007FEEE98C000-memory.dmp

memory/1868-67-0x0000000001040000-0x000000000112C000-memory.dmp

memory/2548-66-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

memory/1868-68-0x000000001AEA0000-0x000000001AF20000-memory.dmp

memory/1868-69-0x0000000000C50000-0x0000000000C9E000-memory.dmp

memory/1868-70-0x0000000000D50000-0x0000000000D68000-memory.dmp

memory/1632-72-0x000007FEEDFA0000-0x000007FEEE98C000-memory.dmp

memory/1632-73-0x000000001B3C0000-0x000000001B440000-memory.dmp

memory/1868-74-0x0000000000E90000-0x0000000000EA0000-memory.dmp

memory/1868-75-0x000000001AEA0000-0x000000001AF20000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

C:\Users\Admin\AppData\Local\Temp\CabA527.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/756-100-0x0000000001350000-0x0000000001358000-memory.dmp

memory/756-101-0x00000000746B0000-0x0000000074D9E000-memory.dmp

memory/756-104-0x00000000746B0000-0x0000000074D9E000-memory.dmp

memory/2744-103-0x000007FEEDFA0000-0x000007FEEE98C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-20 08:24

Reported

2024-02-20 08:25

Platform

win10v2004-20231222-en

Max time kernel

38s

Max time network

39s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Program Files\Winrar\Data\Winrar.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Winrar\\Data\\Winrar.exe\"" C:\Program Files\Winrar\Data\Winrar.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Winrar\Data\Winrar.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File opened for modification C:\Program Files\Winrar\Data\Winrar.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File created C:\Program Files\Winrar\Data\Winrar.exe.config C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Winrar\Data\Winrar.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Winrar\Data\Winrar.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5668 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 5668 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3796 wrote to memory of 1868 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3796 wrote to memory of 1868 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 5668 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 5668 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 5668 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Program Files\Winrar\Data\Winrar.exe
PID 5668 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Program Files\Winrar\Data\Winrar.exe
PID 1808 wrote to memory of 4704 N/A C:\Program Files\Winrar\Data\Winrar.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1808 wrote to memory of 4704 N/A C:\Program Files\Winrar\Data\Winrar.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1808 wrote to memory of 4704 N/A C:\Program Files\Winrar\Data\Winrar.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4704 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4704 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4704 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2d8nw7sh.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D94.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4D93.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Winrar\Data\Winrar.exe

"C:\Program Files\Winrar\Data\Winrar.exe"

C:\Program Files\Winrar\Data\Winrar.exe

"C:\Program Files\Winrar\Data\Winrar.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Program Files\Winrar\Data\Winrar.exe" 1808 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Program Files\Winrar\Data\Winrar.exe" 1808 "/protectFile"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 centre-shaped.gl.at.ply.gg udp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 8.8.8.8:53 18.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp

Files

memory/5668-0-0x00007FFC364E0000-0x00007FFC36E81000-memory.dmp

memory/5668-1-0x0000000000F20000-0x0000000000F30000-memory.dmp

memory/5668-2-0x000000001B4E0000-0x000000001B53C000-memory.dmp

memory/5668-5-0x000000001B5B0000-0x000000001B5BE000-memory.dmp

memory/5668-6-0x00007FFC364E0000-0x00007FFC36E81000-memory.dmp

memory/5668-7-0x000000001BB90000-0x000000001C05E000-memory.dmp

memory/5668-8-0x000000001C100000-0x000000001C19C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\2d8nw7sh.cmdline

MD5 08b4c50bf6c63a850deef3f24c9bbdf9
SHA1 8cd7e408310dfe29409b08af714088df315bf1cd
SHA256 ed728a089660aee8807d7b56987d9bf27cb6b3c0051dd67b558c3808fb582994
SHA512 a271402c581f38aef553fbe1a699eb28f50d3da1580a09183f49c1177b8c9b817dcad81fb151671b0d2b16cfad8491f297994ef427eb13c3bb77149071222991

\??\c:\Users\Admin\AppData\Local\Temp\2d8nw7sh.0.cs

MD5 6af3a6a2593ac0944b34d773f3322dab
SHA1 c67249d587ac2cbb46daa0efba2dfe37532a8eda
SHA256 dd2167943755174b2bd179afa730793fc31b300186355b643fcd538344402845
SHA512 4820e4c24d19419dd7c4535f41efc5f77aea7364a236b19e61d1405a9881f1e472df1d61896c0e7cc59be70118404a2f0f7fdb6a32f6ffa48072890eb4894c43

memory/3796-14-0x0000000000970000-0x0000000000980000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC4D93.tmp

MD5 5b9d96264eaf5bf271fc2b3d1f640c98
SHA1 70efb74178d492cd9fe69a821ed5adffc6e1680d
SHA256 dcebe06c2cbb2cb6bb18c55065b2d33a7e3c743e5da8d1473e29adf8ab1f3805
SHA512 e8d6de8f705aae0c2056d781264fdd57bad09318daf51b01f7e8d6a0b0428fe881585a533119b6c5f1edff6332b4d5ac936a0088ceacd6ab9a4595c2285f046e

C:\Users\Admin\AppData\Local\Temp\RES4D94.tmp

MD5 0aa9e26db15ef1c188e6e808d5d05861
SHA1 7c35f38bce72608c76e9f751107b222502f4b465
SHA256 a74a44d7fef5cc3b74f07eb6b6d84b4cf239cee028db21c920fded8071fb029a
SHA512 666a52d864bd42361564232e4d0e972ed47185cadb40b16f22be4306d9bfdafc751307f0abd4d0cd8ee9402a11bbf752ebc63cc00b725ab865d52784a4609ea5

C:\Users\Admin\AppData\Local\Temp\2d8nw7sh.dll

MD5 667e65e6a153aee0d3b78124a833bc34
SHA1 b6c97a780c571ed6e945d69b4a866afee3d6fa05
SHA256 8b50cb342e71cc41d49c4fef19748ee564f43e729736e0f55f9ffc1b777ac108
SHA512 959ce8501ac660537efb9a51ad63f0afd51f36f11073c9bd5068078c8022c1003c8ef3fe0301f886ba316e0fadd90ab0570a26a212c8bb37ade6aa5d046b0199

memory/5668-22-0x000000001C7C0000-0x000000001C7D6000-memory.dmp

memory/5668-24-0x0000000000EE0000-0x0000000000EF2000-memory.dmp

memory/5668-25-0x0000000000EB0000-0x0000000000EB8000-memory.dmp

memory/5668-26-0x0000000000EA0000-0x0000000000EA8000-memory.dmp

memory/5668-27-0x0000000000F20000-0x0000000000F30000-memory.dmp

memory/5668-30-0x000000001F260000-0x000000001F280000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/824-44-0x0000000000B00000-0x0000000000B0C000-memory.dmp

memory/824-45-0x00000000013F0000-0x0000000001402000-memory.dmp

memory/824-47-0x00007FFC32D60000-0x00007FFC33821000-memory.dmp

memory/824-46-0x0000000001450000-0x000000000148C000-memory.dmp

memory/824-48-0x000000001B870000-0x000000001B880000-memory.dmp

memory/824-52-0x00007FFC32D60000-0x00007FFC33821000-memory.dmp

memory/5668-55-0x0000000000F20000-0x0000000000F30000-memory.dmp

memory/5668-54-0x00007FFC364E0000-0x00007FFC36E81000-memory.dmp

memory/4476-56-0x000000001A1B0000-0x000000001A2BA000-memory.dmp

memory/4476-57-0x00007FFC32D60000-0x00007FFC33821000-memory.dmp

memory/4476-58-0x0000000019D10000-0x0000000019D20000-memory.dmp

C:\Program Files\Winrar\Data\Winrar.exe

MD5 1d2d7a1a22f9058a61757de3336c86eb
SHA1 6b87f0f70bf017473fab28af9c5b1b2752540038
SHA256 46dd45eb8ad4b41894e667075df700eba76228a047d2c01cca6c3511ec6a379a
SHA512 1d8c0f439fd6d0562676ad0f251dd1c969d09e9e39653346362782efe0dfcc6a6c300966408be7eb131c4c18c80c9add0f131bbb6af2981cd5fac71d73189b0f

memory/5668-74-0x0000000000F20000-0x0000000000F30000-memory.dmp

memory/5668-76-0x00007FFC364E0000-0x00007FFC36E81000-memory.dmp

memory/1808-77-0x00000000007E0000-0x00000000008CC000-memory.dmp

memory/1808-75-0x00007FFC32D60000-0x00007FFC33821000-memory.dmp

memory/1808-78-0x0000000002920000-0x0000000002930000-memory.dmp

memory/1808-79-0x00000000028D0000-0x00000000028E2000-memory.dmp

memory/1808-80-0x000000001B4A0000-0x000000001B4EE000-memory.dmp

memory/1808-82-0x000000001B4F0000-0x000000001B508000-memory.dmp

memory/6036-83-0x00007FFC32D60000-0x00007FFC33821000-memory.dmp

memory/1808-84-0x0000000002940000-0x0000000002950000-memory.dmp

memory/6036-85-0x000000001BAA0000-0x000000001BAB0000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/4704-100-0x0000000074880000-0x0000000075030000-memory.dmp

memory/4704-99-0x0000000000A40000-0x0000000000A48000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

memory/3324-106-0x0000000074880000-0x0000000075030000-memory.dmp

memory/1808-107-0x000000001CD30000-0x000000001CEF2000-memory.dmp

memory/6036-109-0x00007FFC32D60000-0x00007FFC33821000-memory.dmp

memory/4476-110-0x00007FFC32D60000-0x00007FFC33821000-memory.dmp

memory/4476-111-0x0000000019D10000-0x0000000019D20000-memory.dmp

memory/1808-112-0x00007FFC32D60000-0x00007FFC33821000-memory.dmp