Malware Analysis Report

2025-01-18 21:27

Sample ID 240321-rs9xasfa9w
Target dbdabbb75ed8325345dc4df90533af86
SHA256 5211669e6271767591d4d12d0c522df57ba953aafd60b665eebc4bd56fe619d7
Tags
adware persistence stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5211669e6271767591d4d12d0c522df57ba953aafd60b665eebc4bd56fe619d7

Threat Level: Shows suspicious behavior

The file dbdabbb75ed8325345dc4df90533af86 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware persistence stealer

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Installs/modifies Browser Helper Object

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 14:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 14:28

Reported

2024-03-21 14:31

Platform

win7-20231129-en

Max time kernel

149s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VLAutoPro7.28.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svshort = "C:\\Windows\\SysWOW64\\svshort.exe" C:\Windows\SysWOW64\svshort.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} C:\Windows\SysWOW64\svshort.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\pk.bin C:\Windows\SysWOW64\svshort.exe N/A
File created C:\Windows\SysWOW64\pk.bin C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\Windows\SysWOW64\svshort.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\Windows\SysWOW64\svshorthk.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\Windows\SysWOW64\mc.dat C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\Windows\SysWOW64\svshortwb.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\Windows\SysWOW64\inst.dat C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\Windows\SysWOW64\rinst.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32 C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0 C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1" C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class" C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer\ = "PK.IE.1" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32 C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE" C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0 C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\svshortwb.dll" C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\Windows\\SysWOW64\\" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ = "C:\\Windows\\SysWOW64\\svshortwb.dll" C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A} C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1 C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 C:\Windows\SysWOW64\svshort.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VLAutoPro7.28.exe

"C:\Users\Admin\AppData\Local\Temp\VLAutoPro7.28.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"

C:\Windows\SysWOW64\svshort.exe

C:\Windows\system32\svshort.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 alt1.gmail-smtp-in.l.google.com udp
NL 142.250.27.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.27.27:25 alt1.gmail-smtp-in.l.google.com tcp
NL 142.250.27.27:25 alt1.gmail-smtp-in.l.google.com tcp

Files

\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

MD5 a455ca431e66975d886f1a8cfee8cb9f
SHA1 95868529973c77199b76ec593a686d9b324dee8b
SHA256 6bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056
SHA512 53e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531

C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

MD5 7a9803f989525a1374ed887518c91c01
SHA1 0582b8bd77829ed3b9fc2a1a58ffea8a0f03c80a
SHA256 550ec97e47c5eceb7a2eb6e35d1951a8d0ed1815e5ecf5b1461a98e78134d39a
SHA512 e1e191c4494d76d31e2e9cfb75624d77d5b21bab179315ca912c334f133625dd1044f915c6746fe9087a7224ff2ee8d7fb96e178b1b897c93fcb7ce7bd7f0c73

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

MD5 61022a2265fce6d7158c46b8a48e0e37
SHA1 47410c7c2b0a7073ea47bc8756e97162e0cde163
SHA256 3d4f1282beec16cfc8b14f7aaf21b951086faac3d89249a619f955ae1f05b0b6
SHA512 f7f56b9add45e7b5d3c5884a8c4e86c4bb5536785870714cace5340fb439af90a1adbcc09f4c65da481336f3bbe1c49585d876e012f84f570f7e0a41a292bc23

C:\Users\Admin\AppData\Local\Temp\RarSFX0\svshorthk.dll

MD5 0dd68b8930c9e39a6d794ab4544a08b3
SHA1 fde93e99a3caa68da6a779a5ec29fd37fdd0c7d1
SHA256 6d9ae822a254d96cddd8e13114e5be9caf9faa57655696bb5c7211dd96b11ad1
SHA512 dcdd233ed41cbe91f13f5daf4a4bdf51fc8a070afbd594f755ee52205aee0dc44c609206e1615e18aab512e9ca2a572116e6b0214ec0d13118ae2fd4e1003437

C:\Users\Admin\AppData\Local\Temp\RarSFX0\svshort.exe

MD5 4f2598e0335a8785a7777b76714c0a50
SHA1 06ea320b04d8bc2d1349fd53dbfefc24a6c870d7
SHA256 bf5146235bdb90045174c9604ae938982251ac39840782b4dd02f3064f474660
SHA512 bdf99154fdd7b1d4ca2adef99f03affcaa342b361cab571cb24c01f5a0d85e47a43a55cf0ab793c74d16523ff3beb6c65c7c7eb1a5a58378c3518da3adce4c20

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mc.dat

MD5 786df1745a46be0beb31a717d4d219ac
SHA1 ff144f89e6b1b4357ec957ad24a8078f30ef14f4
SHA256 5be4f914b383dbc464215981549063bd3f23ad1833a75bdf682f001c0b622559
SHA512 03cad375391576167e3e2dba7cc8d7ff558f9055270aa90012568ea8fdb2526f2d7bf23d57aa5b6e37e221bfd370f17fac63d26f869d6464c44a233336898c60

C:\Users\Admin\AppData\Local\Temp\RarSFX0\svshortwb.dll

MD5 0a062bf81e9c6150e207cb68ab69bb7a
SHA1 ed147ea3f2605a5913b6b7ff87cf70ab10d2d68d
SHA256 34922769f5b4512bb9d66c36c1b6ad218d272ff23f41ded0462df2b330e9a5b1
SHA512 b87fc0512f0ec4b2a8991e1f27c65b440ef1fb223449ac7f971a738987ca09948c4860a3bbcd07098281c3c2247434448234cc8765a8222fa5db4b17db63e066

\Windows\SysWOW64\svshort.exe

MD5 bae0fb25bcf05a5da7fde8dce759ee0d
SHA1 bc74b07d14a63ce572755c70ceb796136d129e20
SHA256 b966953b0a0e0bf648b1043b4e708445b52b020a0485921138bbf3be58d9995d
SHA512 74a61f7712df39194b2cb77186231d5960b8bfc5b37abdf20c357471a4e8dd8a8e648161cda7b1c8ee01d422926e3b30fd5ec9c6ebbf589a4feeaeba99ca2929

C:\Windows\SysWOW64\mc.dat

MD5 6ef573039518dd1b935d5f90575acfc1
SHA1 fa76137f023c90ab85dd0d8376d58135d526d218
SHA256 29855077d58666babb14e533019c1f75dc2280263f04e4d3b5014aba8df4bfb3
SHA512 55c9e7567efbb02453a7a4add946a66447ea6d5444c5605a6d913ea7247e52354142092d339964ddce0921f688f070eae5492d596dec664c1eccd4dfbdd5cf87

C:\Windows\SysWOW64\pk.bin

MD5 7bafaa547b6763a866796dd76a748511
SHA1 7eb671e7fc9d41c270b9d2bc8e3d6526b62766f3
SHA256 08eed37fdaf682ca23bd4b2ccfe3d0c61019209f35d0df20da406a76acc72fd0
SHA512 8818d57cacf95e090985ec913ecd3f4ef4c67e7a8586f395d62076d4bc49fc95e9a9e006fa003d5a9b0d24302622bca3861d69cd17ea1b98bc7f542fd5ace36b

C:\Windows\SysWOW64\svshorthk.dll

MD5 58129986fa29f6dacd99ab45f60bcb3c
SHA1 7f21995794a060fc8629e0d113cf568de14c509e
SHA256 525414ffe5f797ebdd7de5620b75ff723de17bf8f399ffcd7ddec2d0b8a5dc4a
SHA512 62ade2d2eb41cd99dcd9f6d66e7966d129be20551faadcf827558e85d669f885ad144d10a87c3be7faed08103b86ab523fb6756b44f9e0ba77cdff586214701a

C:\Windows\SysWOW64\svshortwb.dll

MD5 2e6016325548ab79e2d636640c6ec473
SHA1 586e2b84d46ef00e26c1686033def28e8a9995a5
SHA256 62e2948c3e3857e8304a657b7e7da30cdcb6842f71bd4c678a1734ebbf17198e
SHA512 1dc89b9e15f5835dff3203e278f000df5c0d8d93cbef5059be3f1024ef1e16ae8087a4f8e1131b20b190942984e9dc6079dfe951a52de7f4d4ad7de8721a0e86

memory/3040-62-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 14:28

Reported

2024-03-21 14:31

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VLAutoPro7.28.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VLAutoPro7.28.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svshort = "C:\\Windows\\SysWOW64\\svshort.exe" C:\Windows\SysWOW64\svshort.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin" C:\Windows\SysWOW64\svshort.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\svshorthk.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\Windows\SysWOW64\mc.dat C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\Windows\SysWOW64\svshortwb.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\Windows\SysWOW64\inst.dat C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\Windows\SysWOW64\rinst.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File opened for modification C:\Windows\SysWOW64\pk.bin C:\Windows\SysWOW64\svshort.exe N/A
File created C:\Windows\SysWOW64\pk.bin C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\Windows\SysWOW64\svshort.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library" C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A} C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32 C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0 C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer\ = "PK.IE.1" C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class" C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1" C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1 C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\svshortwb.dll" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32 C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ = "C:\\Windows\\SysWow64\\svshortwb.dll" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0 C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 C:\Windows\SysWOW64\svshort.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} C:\Windows\SysWOW64\svshort.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable C:\Windows\SysWOW64\svshort.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A
N/A N/A C:\Windows\SysWOW64\svshort.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VLAutoPro7.28.exe

"C:\Users\Admin\AppData\Local\Temp\VLAutoPro7.28.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"

C:\Windows\SysWOW64\svshort.exe

C:\Windows\system32\svshort.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 alt1.gmail-smtp-in.l.google.com udp
NL 142.250.27.26:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
NL 142.250.27.26:25 alt1.gmail-smtp-in.l.google.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
NL 142.250.27.26:25 alt1.gmail-smtp-in.l.google.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

MD5 a455ca431e66975d886f1a8cfee8cb9f
SHA1 95868529973c77199b76ec593a686d9b324dee8b
SHA256 6bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056
SHA512 53e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531

C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

MD5 7a9803f989525a1374ed887518c91c01
SHA1 0582b8bd77829ed3b9fc2a1a58ffea8a0f03c80a
SHA256 550ec97e47c5eceb7a2eb6e35d1951a8d0ed1815e5ecf5b1461a98e78134d39a
SHA512 e1e191c4494d76d31e2e9cfb75624d77d5b21bab179315ca912c334f133625dd1044f915c6746fe9087a7224ff2ee8d7fb96e178b1b897c93fcb7ce7bd7f0c73

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VLAutoPro7.28.zip

MD5 daaa30ecf65403e41466d86215522bcf
SHA1 774194c0778c10e2d9272f2d36fe24758fa6ed9b
SHA256 7b664388183968fc36261475cf1bcdd75633c406ee532e4e83bfaf5cb8a4a84f
SHA512 ba8fb80c37d30226b0dfc545161d438beb42b87d177f54f972fc7063eb44b59b33ea9372bf6cd1f424db2a9029461e5f7da14ed43b2cda43713b451bf9a7f615

C:\Users\Admin\AppData\Local\Temp\RarSFX0\svshort.exe

MD5 4f2598e0335a8785a7777b76714c0a50
SHA1 06ea320b04d8bc2d1349fd53dbfefc24a6c870d7
SHA256 bf5146235bdb90045174c9604ae938982251ac39840782b4dd02f3064f474660
SHA512 bdf99154fdd7b1d4ca2adef99f03affcaa342b361cab571cb24c01f5a0d85e47a43a55cf0ab793c74d16523ff3beb6c65c7c7eb1a5a58378c3518da3adce4c20

C:\Users\Admin\AppData\Local\Temp\RarSFX0\svshortwb.dll

MD5 0a062bf81e9c6150e207cb68ab69bb7a
SHA1 ed147ea3f2605a5913b6b7ff87cf70ab10d2d68d
SHA256 34922769f5b4512bb9d66c36c1b6ad218d272ff23f41ded0462df2b330e9a5b1
SHA512 b87fc0512f0ec4b2a8991e1f27c65b440ef1fb223449ac7f971a738987ca09948c4860a3bbcd07098281c3c2247434448234cc8765a8222fa5db4b17db63e066

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mc.dat

MD5 786df1745a46be0beb31a717d4d219ac
SHA1 ff144f89e6b1b4357ec957ad24a8078f30ef14f4
SHA256 5be4f914b383dbc464215981549063bd3f23ad1833a75bdf682f001c0b622559
SHA512 03cad375391576167e3e2dba7cc8d7ff558f9055270aa90012568ea8fdb2526f2d7bf23d57aa5b6e37e221bfd370f17fac63d26f869d6464c44a233336898c60

C:\Users\Admin\AppData\Local\Temp\RarSFX0\svshorthk.dll

MD5 0dd68b8930c9e39a6d794ab4544a08b3
SHA1 fde93e99a3caa68da6a779a5ec29fd37fdd0c7d1
SHA256 6d9ae822a254d96cddd8e13114e5be9caf9faa57655696bb5c7211dd96b11ad1
SHA512 dcdd233ed41cbe91f13f5daf4a4bdf51fc8a070afbd594f755ee52205aee0dc44c609206e1615e18aab512e9ca2a572116e6b0214ec0d13118ae2fd4e1003437

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

MD5 61022a2265fce6d7158c46b8a48e0e37
SHA1 47410c7c2b0a7073ea47bc8756e97162e0cde163
SHA256 3d4f1282beec16cfc8b14f7aaf21b951086faac3d89249a619f955ae1f05b0b6
SHA512 f7f56b9add45e7b5d3c5884a8c4e86c4bb5536785870714cace5340fb439af90a1adbcc09f4c65da481336f3bbe1c49585d876e012f84f570f7e0a41a292bc23

C:\Windows\SysWOW64\svshort.exe

MD5 bae0fb25bcf05a5da7fde8dce759ee0d
SHA1 bc74b07d14a63ce572755c70ceb796136d129e20
SHA256 b966953b0a0e0bf648b1043b4e708445b52b020a0485921138bbf3be58d9995d
SHA512 74a61f7712df39194b2cb77186231d5960b8bfc5b37abdf20c357471a4e8dd8a8e648161cda7b1c8ee01d422926e3b30fd5ec9c6ebbf589a4feeaeba99ca2929

C:\Windows\SysWOW64\pk.bin

MD5 7bafaa547b6763a866796dd76a748511
SHA1 7eb671e7fc9d41c270b9d2bc8e3d6526b62766f3
SHA256 08eed37fdaf682ca23bd4b2ccfe3d0c61019209f35d0df20da406a76acc72fd0
SHA512 8818d57cacf95e090985ec913ecd3f4ef4c67e7a8586f395d62076d4bc49fc95e9a9e006fa003d5a9b0d24302622bca3861d69cd17ea1b98bc7f542fd5ace36b

C:\Windows\SysWOW64\mc.dat

MD5 6ef573039518dd1b935d5f90575acfc1
SHA1 fa76137f023c90ab85dd0d8376d58135d526d218
SHA256 29855077d58666babb14e533019c1f75dc2280263f04e4d3b5014aba8df4bfb3
SHA512 55c9e7567efbb02453a7a4add946a66447ea6d5444c5605a6d913ea7247e52354142092d339964ddce0921f688f070eae5492d596dec664c1eccd4dfbdd5cf87

C:\Windows\SysWOW64\svshorthk.dll

MD5 58129986fa29f6dacd99ab45f60bcb3c
SHA1 7f21995794a060fc8629e0d113cf568de14c509e
SHA256 525414ffe5f797ebdd7de5620b75ff723de17bf8f399ffcd7ddec2d0b8a5dc4a
SHA512 62ade2d2eb41cd99dcd9f6d66e7966d129be20551faadcf827558e85d669f885ad144d10a87c3be7faed08103b86ab523fb6756b44f9e0ba77cdff586214701a

C:\Windows\SysWOW64\svshortwb.dll

MD5 2e6016325548ab79e2d636640c6ec473
SHA1 586e2b84d46ef00e26c1686033def28e8a9995a5
SHA256 62e2948c3e3857e8304a657b7e7da30cdcb6842f71bd4c678a1734ebbf17198e
SHA512 1dc89b9e15f5835dff3203e278f000df5c0d8d93cbef5059be3f1024ef1e16ae8087a4f8e1131b20b190942984e9dc6079dfe951a52de7f4d4ad7de8721a0e86

memory/3952-52-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3952-53-0x0000000000400000-0x0000000000412000-memory.dmp