Malware Analysis Report

2025-01-02 07:37

Sample ID 240510-bfz9bshf7y
Target 0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe
SHA256 0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d
Tags
privateloader loader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d

Threat Level: Known bad

The file 0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe was found to be: Known bad.

Malicious Activity Summary

privateloader loader persistence

PrivateLoader

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Modifies system certificate store

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies registry key

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 01:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 01:05

Reported

2024-05-10 01:08

Platform

win7-20240220-en

Max time kernel

122s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe"

Signatures

PrivateLoader

loader privateloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp N/A
N/A N/A C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\SmartTool Calculator = "C:\\Users\\Admin\\AppData\\Local\\SmartTool Calculator\\Calculator.exe minimized" C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hamsupdate = "C:\\Users\\Admin\\AppData\\Roaming\\HamsterSoft\\sxcon.exe" C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe C:\Users\Admin\AppData\Local\Temp\is-6M1M7.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp
PID 1992 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe C:\Users\Admin\AppData\Local\Temp\is-6M1M7.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp
PID 1992 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe C:\Users\Admin\AppData\Local\Temp\is-6M1M7.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp
PID 1992 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe C:\Users\Admin\AppData\Local\Temp\is-6M1M7.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp
PID 1992 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe C:\Users\Admin\AppData\Local\Temp\is-6M1M7.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp
PID 1992 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe C:\Users\Admin\AppData\Local\Temp\is-6M1M7.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp
PID 1992 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe C:\Users\Admin\AppData\Local\Temp\is-6M1M7.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp
PID 2032 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\is-6M1M7.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe
PID 2032 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\is-6M1M7.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe
PID 2032 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\is-6M1M7.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe
PID 2032 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\is-6M1M7.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe
PID 2032 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\is-6M1M7.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe
PID 2032 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\is-6M1M7.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe
PID 2032 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\is-6M1M7.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe
PID 2016 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp
PID 2016 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp
PID 2016 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp
PID 2016 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp
PID 2016 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp
PID 2016 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp
PID 2016 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp
PID 2644 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2644 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2644 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2644 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2644 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2644 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2644 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2644 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2644 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2644 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2644 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2644 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2644 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2644 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2644 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2644 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2644 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2644 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2644 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2644 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2644 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe
PID 2644 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe
PID 2644 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe
PID 2644 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe
PID 2644 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe
PID 2644 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe
PID 2644 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe
PID 2644 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe
PID 1432 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe
PID 1432 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe
PID 1432 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe
PID 1432 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe
PID 1432 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe C:\Windows\SysWOW64\reg.exe
PID 1432 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe C:\Windows\SysWOW64\reg.exe
PID 1432 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe C:\Windows\SysWOW64\reg.exe
PID 1432 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe

"C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe"

C:\Users\Admin\AppData\Local\Temp\is-6M1M7.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp

"C:\Users\Admin\AppData\Local\Temp\is-6M1M7.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp" /SL5="$80122,32947792,832512,C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe"

C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe

"C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SQ7IB.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp" /SL5="$90122,32947792,832512,C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe" /SILENT

C:\Windows\SysWOW64\taskkill.exe

"taskkill.exe" /f /im "Calculator.exe"

C:\Windows\SysWOW64\taskkill.exe

"taskkill.exe" /f /im "sxcon.exe"

C:\Windows\SysWOW64\taskkill.exe

"taskkill.exe" /f /im "Calculator.exe"

C:\Windows\SysWOW64\taskkill.exe

"taskkill.exe" /f /im "sxcon.exe"

C:\Windows\SysWOW64\taskkill.exe

"taskkill.exe" /f /im "sxcon.exe"

C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe

"C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe"

C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe

"C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe"

C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe

"C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe" --type=renderer --no-sandbox --service-pipe-token=0A7F977832364069C529B1752BA8AB4D --lang=en-US --app-user-model-id=28C03FE7-5479-424F-A3A9-E2C470A11798 --app-path="C:\Users\Admin\AppData\Local\SmartTool Calculator\resources\app.asar" --node-integration=true --webview-tag=false --no-sandbox --background-color=#fff --context-id=2 --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=0A7F977832364069C529B1752BA8AB4D --renderer-client-id=3 --mojo-platform-channel-handle=1432 /prefetch:1

C:\Windows\SysWOW64\reg.exe

C:\Windows\system32\reg.exe QUERY HKCU\Software\SmartTools\Calculator /v channel

Network

Country Destination Domain Proto
US 8.8.8.8:53 abwumazh7u.s3.amazonaws.com udp
DE 52.219.171.91:443 abwumazh7u.s3.amazonaws.com tcp
US 8.8.8.8:53 gksxsd.com udp
NL 23.109.55.164:443 gksxsd.com tcp
US 8.8.8.8:53 nl.node.soax.com udp
NL 23.109.105.4:443 nl.node.soax.com tcp
NL 23.109.105.4:443 nl.node.soax.com tcp
US 8.8.8.8:53 best-calc.ru udp
DE 176.9.121.140:80 best-calc.ru tcp
US 8.8.8.8:53 o1015326.ingest.sentry.io udp
US 34.120.195.249:443 o1015326.ingest.sentry.io tcp
US 8.8.8.8:53 hamstersoft-app-install.s3.eu-west-2.amazonaws.com udp
GB 52.95.150.6:443 hamstersoft-app-install.s3.eu-west-2.amazonaws.com tcp
GB 52.95.150.6:443 hamstersoft-app-install.s3.eu-west-2.amazonaws.com tcp
US 8.8.8.8:53 sentry.supermegabest.com udp
US 103.224.212.217:443 sentry.supermegabest.com tcp
US 103.224.212.217:443 sentry.supermegabest.com tcp
US 8.8.8.8:53 ww25.sentry.supermegabest.com udp
US 199.59.243.225:80 ww25.sentry.supermegabest.com tcp

Files

memory/1992-0-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1992-2-0x0000000000401000-0x00000000004B7000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-6M1M7.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp

MD5 37a5e9e3880124ccc73692e1ee419db9
SHA1 6dc5410242f192fd7bed0478d40d72861f392612
SHA256 6d330048d28b24b6b928be3eb2b9ced7eecf35092a89932e84ece7c94b35aab4
SHA512 636c0cb81c23c66a042dac50dd2f9d610742288498b0b991457f539154a61b3aab6a7ec95d8c3876d69e9ef5f75b922d97ac171c88d4de1acfa289d52c21b14f

memory/2032-8-0x0000000000400000-0x000000000071B000-memory.dmp

memory/2032-12-0x0000000000400000-0x000000000071B000-memory.dmp

memory/2016-13-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1992-16-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe

MD5 1b9bc9ca78c9eba9d281e484a168b7da
SHA1 0b7c0b8965d03cafeab9f64218e945ec903b79c0
SHA256 b26795f7a82aa499aad24c4cf54462c24366877cc75f97871a983d9c72383ee2
SHA512 c024adc388e3f6a50f987033bceee942ce0ccbcce6bddc691174a4888785b62b9e66938bfd12e7a5f832247daefc13dd129711de6bcc9f58fa796a17bcf17644

memory/2268-268-0x0000000000B80000-0x0000000000B88000-memory.dmp

C:\Users\Admin\AppData\Roaming\HamsterSoft\libhamster.dll

MD5 794dfc05ba429ebcb7fa579641754f36
SHA1 95d7ccc81a04be1f2c9c9f55b5cf11e438dc19b8
SHA256 724b3ebe91761685a44c20d92a606ccd3f2146d772e231833c8795aea3845db6
SHA512 1c4aff573cf68c1e749bc07fc8bc559f1eab441d9a78c08d432bfd561e9d06bb80383cc5aa5dfeb8b4a361c96fe60f33bec83946da6ce62669340552de565b58

\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe

MD5 820853e9070d8dc31ecab84f0fb63da6
SHA1 2875f689e2c36a685c8ddf6d1cbd66a56f1e3f53
SHA256 222a6b65f92eeba14acd663bf9cbb8531ba6b6a896eb6c37b8967f27b2d13f9c
SHA512 880fe580bf6172e99dd019d402d78792da7eb1089f8c0d89b95e5b5d2bd7db82b89cdb827ffbaabfa7d041db7ace24dca69a13e3c2e07ceaccc3562e4ee147b2

C:\Users\Admin\AppData\Local\SmartTool Calculator\node.dll

MD5 50a895904d6a872f3e54309fba6c3ba2
SHA1 6416eccd706d9e1828d2865aea0428573a919533
SHA256 eb36f39cd4caf8c9bca32432f821b5c97286d26e6e1f6d6d91335f40a0aab7e1
SHA512 58b66e2585312643b4bff858e3c64fa21d72e0b35ba38e1097f40bc5ed5b4c2e126d727000bed2d4803a9f1bff76c698270f0a2edf838c46cc5fdd3b11570a23

memory/2644-284-0x0000000000400000-0x000000000071B000-memory.dmp

memory/2016-286-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\SmartTool Calculator\vcruntime140.dll

MD5 a2523ea6950e248cbdf18c9ea1a844f6
SHA1 549c8c2a96605f90d79a872be73efb5d40965444
SHA256 6823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4
SHA512 2141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a

C:\Users\Admin\AppData\Local\SmartTool Calculator\api-ms-win-crt-runtime-l1-1-0.dll

MD5 41a348f9bedc8681fb30fa78e45edb24
SHA1 66e76c0574a549f293323dd6f863a8a5b54f3f9b
SHA256 c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
SHA512 8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204

C:\Users\Admin\AppData\Local\SmartTool Calculator\ucrtbase.DLL

MD5 d6326267ae77655f312d2287903db4d3
SHA1 1268bef8e2ca6ebc5fb974fdfaff13be5ba7574f
SHA256 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ceb7a9
SHA512 11db71d286e9df01cb05acef0e639c307efa3fef8442e5a762407101640ac95f20bad58f0a21a4df7dbcda268f934b996d9906434bf7e575c4382281028f64d4

\Users\Admin\AppData\Local\SmartTool Calculator\msvcp140.dll

MD5 d25c3ff7a4cbbffc7c9fff4f659051ce
SHA1 02fe8d84d7f74c2721ff47d72a6916028c8f2e8a
SHA256 9c1dc36d319382e1501cdeaae36bad5b820ea84393ef6149e377d2fb2fc361a5
SHA512 945fe55b43326c95f1eee643d46a53b69a463a88bd149f90e9e193d71b84f4875455d37fd4f06c1307bb2cdbe99c1f6e18cb33c0b8679cd11fea820d7e728065

C:\Users\Admin\AppData\Local\SmartTool Calculator\api-ms-win-core-file-l1-2-0.dll

MD5 e2f648ae40d234a3892e1455b4dbbe05
SHA1 d9d750e828b629cfb7b402a3442947545d8d781b
SHA256 c8c499b012d0d63b7afc8b4ca42d6d996b2fcf2e8b5f94cacfbec9e6f33e8a03
SHA512 18d4e7a804813d9376427e12daa444167129277e5ff30502a0fa29a96884bf902b43a5f0e6841ea1582981971843a4f7f928f8aecac693904ab20ca40ee4e954

C:\Users\Admin\AppData\Local\SmartTool Calculator\api-ms-win-core-timezone-l1-1-0.dll

MD5 babf80608fd68a09656871ec8597296c
SHA1 33952578924b0376ca4ae6a10b8d4ed749d10688
SHA256 24c9aa0b70e557a49dac159c825a013a71a190df5e7a837bfa047a06bba59eca
SHA512 3ffffd90800de708d62978ca7b50fe9ce1e47839cda11ed9e7723acec7ab5829fa901595868e4ab029cdfb12137cf8ecd7b685953330d0900f741c894b88257b

\Users\Admin\AppData\Local\SmartTool Calculator\api-ms-win-core-synch-l1-2-0.dll

MD5 0d1aa99ed8069ba73cfd74b0fddc7b3a
SHA1 ba1f5384072df8af5743f81fd02c98773b5ed147
SHA256 30d99ce1d732f6c9cf82671e1d9088aa94e720382066b79175e2d16778a3dad1
SHA512 6b1a87b1c223b757e5a39486be60f7dd2956bb505a235df406bcf693c7dd440e1f6d65ffef7fde491371c682f4a8bb3fd4ce8d8e09a6992bb131addf11ef2bf9

C:\Users\Admin\AppData\Local\SmartTool Calculator\api-ms-win-crt-utility-l1-1-0.dll

MD5 b52a0ca52c9c207874639b62b6082242
SHA1 6fb845d6a82102ff74bd35f42a2844d8c450413b
SHA256 a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0
SHA512 18834d89376d703bd461edf7738eb723ad8d54cb92acc9b6f10cbb55d63db22c2a0f2f3067fe2cc6feb775db397030606608ff791a46bf048016a1333028d0a4

C:\Users\Admin\AppData\Local\SmartTool Calculator\api-ms-win-crt-conio-l1-1-0.dll

MD5 6ea692f862bdeb446e649e4b2893e36f
SHA1 84fceae03d28ff1907048acee7eae7e45baaf2bd
SHA256 9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2
SHA512 9661c135f50000e0018b3e5c119515cfe977b2f5f88b0f5715e29df10517b196c81694d074398c99a572a971ec843b3676d6a831714ab632645ed25959d5e3e7

C:\Users\Admin\AppData\Local\SmartTool Calculator\ffmpeg.dll

MD5 f594c7171cf0218e87cf8ea8108e06cf
SHA1 434388f4183be2df60dc0240b02ef65767bc603c
SHA256 92ff6d9d1b57cc391fec194c65e6e0cd5d0817c0b1c1d98b34cacb7fbde99240
SHA512 23f850bc240f976c7eba62a709d839bf7aaa5d62f23046c5c8a79cff4af4f91477320116099d596cf076c09d79b2f64d2e6f8d83d3df896caa5c27c65ad3838b

\Users\Admin\AppData\Local\SmartTool Calculator\api-ms-win-crt-environment-l1-1-0.dll

MD5 ac290dad7cb4ca2d93516580452eda1c
SHA1 fa949453557d0049d723f9615e4f390010520eda
SHA256 c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382
SHA512 b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8

\Users\Admin\AppData\Local\SmartTool Calculator\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 aec2268601470050e62cb8066dd41a59
SHA1 363ed259905442c4e3b89901bfd8a43b96bf25e4
SHA256 7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2
SHA512 0c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f

\Users\Admin\AppData\Local\SmartTool Calculator\api-ms-win-crt-time-l1-1-0.dll

MD5 849f2c3ebf1fcba33d16153692d5810f
SHA1 1f8eda52d31512ebfdd546be60990b95c8e28bfb
SHA256 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d
SHA512 44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5

C:\Users\Admin\AppData\Local\SmartTool Calculator\natives_blob.bin

MD5 f340d67e7b6c4b74780677df1351f0e3
SHA1 bdb9130ddfd3efb1a26afcdfa869b30ac0069197
SHA256 359ba7c5c7f523f701d77b4cdd6bbbf23597dc8856dd2c5d7c5abf3168a974b3
SHA512 96515f0d2a677588a17bed01a71f062a7643a0ab0272cef67d25206506650b8c9deab210e40c79e33adf41b581e60a36a4b0d9c8a656029b343409c8bf7c2e5a

C:\Users\Admin\AppData\Local\SmartTool Calculator\snapshot_blob.bin

MD5 25cb86dd6bbdc336f3d095df4ad620d0
SHA1 26d9d3f31a2a6bf84c52fa70838c845366512a0d
SHA256 51f65ce56f07dd3b1dea54c5aba8a540303a63714f8c0ff9c5d14c08cf692cf0
SHA512 84b206fdebe890c7cefa66068341e4345a773f0a4ed30904101402bf83c55c174cbc69f6ccba91bd63dd620dd003ef0b527d4efb942850f04ba35984d9622bf5

C:\Users\Admin\AppData\Local\SmartTool Calculator\icudtl.dat

MD5 d1fb52ed611b2fb214482d877921bfef
SHA1 b0a3c6c9ab60e2eb2bd68c10de5490978fed8321
SHA256 f4b7a46a026455785937c2aef596f92a02136129f7615200f7efc983ac2fadb2
SHA512 fba3b692088ba0bfcca1623d0e1490eeab7a097b99e9d0395d3744067b059b663228c4afa4604f54d14671d529a3c4aefd3b558fa2662e5849ddad9d80095efc

\Users\Admin\AppData\Local\SmartTool Calculator\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 35fc66bd813d0f126883e695664e7b83
SHA1 2fd63c18cc5dc4defc7ea82f421050e668f68548
SHA256 66abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735
SHA512 65f8397de5c48d3df8ad79baf46c1d3a0761f727e918ae63612ea37d96adf16cc76d70d454a599f37f9ba9b4e2e38ebc845df4c74fc1e1131720fd0dcb881431

\Users\Admin\AppData\Local\SmartTool Calculator\api-ms-win-crt-math-l1-1-0.dll

MD5 8b0ba750e7b15300482ce6c961a932f0
SHA1 71a2f5d76d23e48cef8f258eaad63e586cfc0e19
SHA256 bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed
SHA512 fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a

\Users\Admin\AppData\Local\SmartTool Calculator\api-ms-win-crt-locale-l1-1-0.dll

MD5 a2f2258c32e3ba9abf9e9e38ef7da8c9
SHA1 116846ca871114b7c54148ab2d968f364da6142f
SHA256 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33
SHA512 e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe

\Users\Admin\AppData\Local\SmartTool Calculator\api-ms-win-crt-convert-l1-1-0.dll

MD5 72e28c902cd947f9a3425b19ac5a64bd
SHA1 9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7
SHA256 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1
SHA512 58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff

memory/1432-337-0x00000000001E0000-0x00000000001E1000-memory.dmp

\Users\Admin\AppData\Local\SmartTool Calculator\api-ms-win-crt-stdio-l1-1-0.dll

MD5 fefb98394cb9ef4368da798deab00e21
SHA1 316d86926b558c9f3f6133739c1a8477b9e60740
SHA256 b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7
SHA512 57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8

\Users\Admin\AppData\Local\SmartTool Calculator\api-ms-win-crt-heap-l1-1-0.dll

MD5 93d3da06bf894f4fa21007bee06b5e7d
SHA1 1e47230a7ebcfaf643087a1929a385e0d554ad15
SHA256 f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d
SHA512 72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6

\Users\Admin\AppData\Local\SmartTool Calculator\api-ms-win-crt-string-l1-1-0.dll

MD5 404604cd100a1e60dfdaf6ecf5ba14c0
SHA1 58469835ab4b916927b3cabf54aee4f380ff6748
SHA256 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c
SHA512 da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4

\Users\Admin\AppData\Local\SmartTool Calculator\api-ms-win-core-file-l2-1-0.dll

MD5 e479444bdd4ae4577fd32314a68f5d28
SHA1 77edf9509a252e886d4da388bf9c9294d95498eb
SHA256 c85dc081b1964b77d289aac43cc64746e7b141d036f248a731601eb98f827719
SHA512 2afab302fe0f7476a4254714575d77b584cd2dc5330b9b25b852cd71267cda365d280f9aa8d544d4687dc388a2614a51c0418864c41ad389e1e847d81c3ab744

\Users\Admin\AppData\Local\SmartTool Calculator\api-ms-win-core-processthreads-l1-1-1.dll

MD5 d0289835d97d103bad0dd7b9637538a1
SHA1 8ceebe1e9abb0044808122557de8aab28ad14575
SHA256 91eeb842973495deb98cef0377240d2f9c3d370ac4cf513fd215857e9f265a6a
SHA512 97c47b2e1bfd45b905f51a282683434ed784bfb334b908bf5a47285f90201a23817ff91e21ea0b9ca5f6ee6b69acac252eec55d895f942a94edd88c4bfd2dafd

\Users\Admin\AppData\Local\SmartTool Calculator\api-ms-win-core-localization-l1-2-0.dll

MD5 eff11130bfe0d9c90c0026bf2fb219ae
SHA1 cf4c89a6e46090d3d8feeb9eb697aea8a26e4088
SHA256 03ad57c24ff2cf895b5f533f0ecbd10266fd8634c6b9053cc9cb33b814ad5d97
SHA512 8133fb9f6b92f498413db3140a80d6624a705f80d9c7ae627dfd48adeb8c5305a61351bf27bbf02b4d3961f9943e26c55c2a66976251bb61ef1537bc8c212add

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

memory/1648-368-0x0000000000560000-0x0000000000561000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar2E67.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85aacc1e14f86458fea6bb5405095274
SHA1 0e638305b5a057277d2f6c7d3f3b38dcf882e012
SHA256 d69b22120147f671f68e22f1d9ece871a2e8d199c457fa62ac2bac53b2dc362b
SHA512 89b91b6f1839f794661c39a4c7c1a8f18f2939d0241dc6a01aa8efc11917fb9186082217c1a5dea826895e231bd1a8f704de6d0007fdb765c65ae7e9625dbf6a

memory/2268-546-0x0000000071820000-0x0000000071F17000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 01:05

Reported

2024-05-10 01:08

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe"

Signatures

PrivateLoader

loader privateloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-VNJQR.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmartTool Calculator = "C:\\Users\\Admin\\AppData\\Local\\SmartTool Calculator\\Calculator.exe minimized" C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hamsupdate = "C:\\Users\\Admin\\AppData\\Roaming\\HamsterSoft\\sxcon.exe" C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3540 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe C:\Users\Admin\AppData\Local\Temp\is-VNJQR.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp
PID 3540 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe C:\Users\Admin\AppData\Local\Temp\is-VNJQR.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp
PID 3540 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe C:\Users\Admin\AppData\Local\Temp\is-VNJQR.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp
PID 1776 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\is-VNJQR.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe
PID 1776 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\is-VNJQR.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe
PID 1776 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\is-VNJQR.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe
PID 4008 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp
PID 4008 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp
PID 4008 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp
PID 3692 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3692 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3692 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3692 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3692 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3692 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3692 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3692 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3692 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3692 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3692 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3692 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3692 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3692 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3692 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3692 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe
PID 3692 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe
PID 3692 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe
PID 3692 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe
PID 3692 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe
PID 3692 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe
PID 2708 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe
PID 2708 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe
PID 2708 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe
PID 2708 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe C:\Windows\SysWOW64\reg.exe
PID 2708 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe C:\Windows\SysWOW64\reg.exe
PID 2708 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe

"C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe"

C:\Users\Admin\AppData\Local\Temp\is-VNJQR.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VNJQR.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp" /SL5="$7006C,32947792,832512,C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe"

C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe

"C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp

"C:\Users\Admin\AppData\Local\Temp\is-M179P.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp" /SL5="$8006C,32947792,832512,C:\Users\Admin\AppData\Local\Temp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.exe" /SILENT

C:\Windows\SysWOW64\taskkill.exe

"taskkill.exe" /f /im "Calculator.exe"

C:\Windows\SysWOW64\taskkill.exe

"taskkill.exe" /f /im "sxcon.exe"

C:\Windows\SysWOW64\taskkill.exe

"taskkill.exe" /f /im "Calculator.exe"

C:\Windows\SysWOW64\taskkill.exe

"taskkill.exe" /f /im "sxcon.exe"

C:\Windows\SysWOW64\taskkill.exe

"taskkill.exe" /f /im "sxcon.exe"

C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe

"C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe"

C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe

"C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe"

C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe

"C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe" --type=renderer --no-sandbox --service-pipe-token=7F9D1961144AF6B660750CAED51DD049 --lang=en-US --app-user-model-id=28C03FE7-5479-424F-A3A9-E2C470A11798 --app-path="C:\Users\Admin\AppData\Local\SmartTool Calculator\resources\app.asar" --node-integration=true --webview-tag=false --no-sandbox --background-color=#fff --context-id=2 --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=7F9D1961144AF6B660750CAED51DD049 --renderer-client-id=3 --mojo-platform-channel-handle=2284 /prefetch:1

C:\Windows\SysWOW64\reg.exe

C:\Windows\system32\reg.exe QUERY HKCU\Software\SmartTools\Calculator /v channel

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 abwumazh7u.s3.amazonaws.com udp
DE 3.5.136.153:443 abwumazh7u.s3.amazonaws.com tcp
US 8.8.8.8:53 hamstersoft-app-install.s3.eu-west-2.amazonaws.com udp
GB 3.5.245.136:443 hamstersoft-app-install.s3.eu-west-2.amazonaws.com tcp
US 8.8.8.8:53 gksxsd.com udp
NL 23.109.55.108:443 gksxsd.com tcp
US 8.8.8.8:53 153.136.5.3.in-addr.arpa udp
US 8.8.8.8:53 136.245.5.3.in-addr.arpa udp
US 8.8.8.8:53 107.39.156.108.in-addr.arpa udp
US 8.8.8.8:53 nl.node.soax.com udp
NL 23.109.104.180:443 nl.node.soax.com tcp
NL 23.109.104.180:443 nl.node.soax.com tcp
US 8.8.8.8:53 108.55.109.23.in-addr.arpa udp
US 8.8.8.8:53 180.104.109.23.in-addr.arpa udp
NL 23.109.104.180:443 nl.node.soax.com tcp
NL 23.109.104.180:443 nl.node.soax.com tcp
NL 23.109.104.180:443 nl.node.soax.com tcp
NL 23.109.104.180:443 nl.node.soax.com tcp
NL 23.109.104.180:443 nl.node.soax.com tcp
US 8.8.8.8:53 o1015326.ingest.sentry.io udp
US 34.120.195.249:443 o1015326.ingest.sentry.io tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 249.195.120.34.in-addr.arpa udp
US 8.8.8.8:53 best-calc.ru udp
DE 176.9.121.140:80 best-calc.ru tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 sentry.supermegabest.com udp
US 103.224.212.217:443 sentry.supermegabest.com tcp
US 103.224.212.217:443 sentry.supermegabest.com tcp
US 8.8.8.8:53 ww25.sentry.supermegabest.com udp
US 199.59.243.225:80 ww25.sentry.supermegabest.com tcp
US 8.8.8.8:53 217.212.224.103.in-addr.arpa udp
US 8.8.8.8:53 225.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 nl.node.soax.com udp
NL 23.109.104.180:443 nl.node.soax.com tcp
NL 23.109.104.180:443 nl.node.soax.com tcp
NL 23.109.104.180:443 nl.node.soax.com tcp
NL 23.109.104.180:443 nl.node.soax.com tcp
NL 23.109.104.180:443 nl.node.soax.com tcp
NL 23.109.104.180:443 nl.node.soax.com tcp
NL 23.109.104.180:443 nl.node.soax.com tcp

Files

memory/3540-0-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3540-2-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-VNJQR.tmp\0bce62b057e8d60bcbaa16c3d8571943f7ea7e42f5bcfab85f1968a266e5386d.tmp

MD5 37a5e9e3880124ccc73692e1ee419db9
SHA1 6dc5410242f192fd7bed0478d40d72861f392612
SHA256 6d330048d28b24b6b928be3eb2b9ced7eecf35092a89932e84ece7c94b35aab4
SHA512 636c0cb81c23c66a042dac50dd2f9d610742288498b0b991457f539154a61b3aab6a7ec95d8c3876d69e9ef5f75b922d97ac171c88d4de1acfa289d52c21b14f

memory/1776-6-0x0000000000400000-0x000000000071B000-memory.dmp

memory/4008-9-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4008-11-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1776-13-0x0000000000400000-0x000000000071B000-memory.dmp

memory/3540-15-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3692-20-0x0000000000400000-0x000000000071B000-memory.dmp

C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe

MD5 1b9bc9ca78c9eba9d281e484a168b7da
SHA1 0b7c0b8965d03cafeab9f64218e945ec903b79c0
SHA256 b26795f7a82aa499aad24c4cf54462c24366877cc75f97871a983d9c72383ee2
SHA512 c024adc388e3f6a50f987033bceee942ce0ccbcce6bddc691174a4888785b62b9e66938bfd12e7a5f832247daefc13dd129711de6bcc9f58fa796a17bcf17644

C:\Users\Admin\AppData\Local\SmartTool Calculator\Calculator.exe

MD5 820853e9070d8dc31ecab84f0fb63da6
SHA1 2875f689e2c36a685c8ddf6d1cbd66a56f1e3f53
SHA256 222a6b65f92eeba14acd663bf9cbb8531ba6b6a896eb6c37b8967f27b2d13f9c
SHA512 880fe580bf6172e99dd019d402d78792da7eb1089f8c0d89b95e5b5d2bd7db82b89cdb827ffbaabfa7d041db7ace24dca69a13e3c2e07ceaccc3562e4ee147b2

C:\Users\Admin\AppData\Roaming\HamsterSoft\libhamster.dll

MD5 794dfc05ba429ebcb7fa579641754f36
SHA1 95d7ccc81a04be1f2c9c9f55b5cf11e438dc19b8
SHA256 724b3ebe91761685a44c20d92a606ccd3f2146d772e231833c8795aea3845db6
SHA512 1c4aff573cf68c1e749bc07fc8bc559f1eab441d9a78c08d432bfd561e9d06bb80383cc5aa5dfeb8b4a361c96fe60f33bec83946da6ce62669340552de565b58

memory/2160-275-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

C:\Users\Admin\AppData\Local\SmartTool Calculator\ffmpeg.dll

MD5 f594c7171cf0218e87cf8ea8108e06cf
SHA1 434388f4183be2df60dc0240b02ef65767bc603c
SHA256 92ff6d9d1b57cc391fec194c65e6e0cd5d0817c0b1c1d98b34cacb7fbde99240
SHA512 23f850bc240f976c7eba62a709d839bf7aaa5d62f23046c5c8a79cff4af4f91477320116099d596cf076c09d79b2f64d2e6f8d83d3df896caa5c27c65ad3838b

C:\Users\Admin\AppData\Local\SmartTool Calculator\node.dll

MD5 50a895904d6a872f3e54309fba6c3ba2
SHA1 6416eccd706d9e1828d2865aea0428573a919533
SHA256 eb36f39cd4caf8c9bca32432f821b5c97286d26e6e1f6d6d91335f40a0aab7e1
SHA512 58b66e2585312643b4bff858e3c64fa21d72e0b35ba38e1097f40bc5ed5b4c2e126d727000bed2d4803a9f1bff76c698270f0a2edf838c46cc5fdd3b11570a23

C:\Users\Admin\AppData\Local\SmartTool Calculator\vcruntime140.dll

MD5 a2523ea6950e248cbdf18c9ea1a844f6
SHA1 549c8c2a96605f90d79a872be73efb5d40965444
SHA256 6823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4
SHA512 2141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a

memory/3692-295-0x0000000000400000-0x000000000071B000-memory.dmp

memory/4008-298-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\SmartTool Calculator\natives_blob.bin

MD5 f340d67e7b6c4b74780677df1351f0e3
SHA1 bdb9130ddfd3efb1a26afcdfa869b30ac0069197
SHA256 359ba7c5c7f523f701d77b4cdd6bbbf23597dc8856dd2c5d7c5abf3168a974b3
SHA512 96515f0d2a677588a17bed01a71f062a7643a0ab0272cef67d25206506650b8c9deab210e40c79e33adf41b581e60a36a4b0d9c8a656029b343409c8bf7c2e5a

C:\Users\Admin\AppData\Local\SmartTool Calculator\snapshot_blob.bin

MD5 25cb86dd6bbdc336f3d095df4ad620d0
SHA1 26d9d3f31a2a6bf84c52fa70838c845366512a0d
SHA256 51f65ce56f07dd3b1dea54c5aba8a540303a63714f8c0ff9c5d14c08cf692cf0
SHA512 84b206fdebe890c7cefa66068341e4345a773f0a4ed30904101402bf83c55c174cbc69f6ccba91bd63dd620dd003ef0b527d4efb942850f04ba35984d9622bf5

memory/2708-299-0x0000000006C60000-0x0000000006C61000-memory.dmp

C:\Users\Admin\AppData\Local\SmartTool Calculator\icudtl.dat

MD5 d1fb52ed611b2fb214482d877921bfef
SHA1 b0a3c6c9ab60e2eb2bd68c10de5490978fed8321
SHA256 f4b7a46a026455785937c2aef596f92a02136129f7615200f7efc983ac2fadb2
SHA512 fba3b692088ba0bfcca1623d0e1490eeab7a097b99e9d0395d3744067b059b663228c4afa4604f54d14671d529a3c4aefd3b558fa2662e5849ddad9d80095efc

C:\Users\Admin\AppData\Local\SmartTool Calculator\msvcp140.dll

MD5 d25c3ff7a4cbbffc7c9fff4f659051ce
SHA1 02fe8d84d7f74c2721ff47d72a6916028c8f2e8a
SHA256 9c1dc36d319382e1501cdeaae36bad5b820ea84393ef6149e377d2fb2fc361a5
SHA512 945fe55b43326c95f1eee643d46a53b69a463a88bd149f90e9e193d71b84f4875455d37fd4f06c1307bb2cdbe99c1f6e18cb33c0b8679cd11fea820d7e728065

C:\Users\Admin\AppData\Local\SmartTool Calculator\resources\electron.asar

MD5 b06d496c2d5ab31ac50c6a203c7fc321
SHA1 fa9e21c0974c1de0f2aacb2b9404f10da5d6dd8c
SHA256 5a264c598011aa1e163bbb3702cc78149f1f9bb6ddc8d37ef14dc9b835770c0f
SHA512 dafeda99f4f516af839e832ac8054532264f9bf5d4f81bab333e746c4384b77a1b29e784968c1c6517f56ac28960dee3b4f796fecf919a8b56c6813fe17a3160

C:\Users\Admin\AppData\Local\SmartTool Calculator\resources\app.asar

MD5 8c06d82a5ace1ed48086b165da44c407
SHA1 1204dce4ce67e41da1dca9749bceb0181278d82c
SHA256 dbb56eaecf2362442aeb5fd81c660a0faca6ee5117ee789933b1ddf0a363a290
SHA512 6af8eb9ef1841f0efdbaf5be96d95e159447759a380801e8ef17757e3a9b7f910c5e0aef513a08bb1292cbd271201681b5a0f5e20c0384cd1a934dafda3fabad

C:\Users\Admin\AppData\Local\SmartTool Calculator\views_resources_200_percent.pak

MD5 f34a4184574296ba08c6ca4a8a627feb
SHA1 806342993f7d9d0959e9abf2765ae24bc8451b53
SHA256 b5d2cb3d32a6cf2faa99acc34b68748d06cf1e4f911fd23675dc6383298e6fe0
SHA512 c2866a39475f11c09986cecbcff4e93286f0f342a03c33261170e9d67706deeef2cac4b530f5844570efaff6ada75a657e14692169221b0330e3ce9b9799c11b

C:\Users\Admin\AppData\Local\SmartTool Calculator\ui_resources_200_percent.pak

MD5 2b158ae51ba8fb860af7b2a00d14c5ef
SHA1 00a18aa978b7f466616c44f1decbb4bb94dcdece
SHA256 fa39da43c2768b24d65f3b7a1679444c16ee7ee621397b45f717389be594d40d
SHA512 3330ff3ab022d7a9204f6ada635c01b8f5c615257f5114a651ae43ba9c17a156e699e23c376a11a336c35dd68272b87eed799919561dc9857e294c1c5620bc37

C:\Users\Admin\AppData\Local\SmartTool Calculator\content_resources_200_percent.pak

MD5 7c321056f805aabd5a503821fa1994cd
SHA1 9c690875c9189c66c93ebd4c0971739653bccd19
SHA256 261e6aad3ad0a5f608b5694919ee39026c4c3eb4256540068f7c1aa46be9315a
SHA512 8a5f4b3726e4513251475ac470f86f0daa0d5ae42bb750019ce96ed871cb04a7391cea2cef79e67c585e3a982041575e60d0f79b3a5bb9ad09be53362787f090

C:\Users\Admin\AppData\Local\SmartTool Calculator\blink_image_resources_200_percent.pak

MD5 f32ba921fe0c82afd410540b3b02eff9
SHA1 7b192c1c8b9a0a2b8a4478385f107c06afd2d79e
SHA256 01e196f49a1a6e73940d70274ffd31dfa07228b2b55d7931a21d64a09ac4cdda
SHA512 4415ecb69db5400506d299aaad39d57dbf1b94d6b126a23258277c9d7924722453ffe6bae8ab817a9f31dd7a111447fd9bace82c5a7b7b0aede2bad1df8bfa75

C:\Users\Admin\AppData\Local\SmartTool Calculator\pdf_viewer_resources.pak

MD5 37023976766b3bd96ac1484a9d0a4386
SHA1 0a682dd5b0513f4b40be56daa4946e192904401c
SHA256 0c424023a608e7a67255b65078341aac81ad1c967d03b7ec12942d48bf19b148
SHA512 6ce74691ff8719e7edc268dd18a34bed419e8eb37515eaa05c608d22a929f4f085955ccbc80498fc086b6a3aac0acf51ef9c567ef7c8991d009fce2d4633bc39

C:\Users\Admin\AppData\Local\SmartTool Calculator\content_shell.pak

MD5 55f9480f9f55fe6fd1ea9f431120a1bb
SHA1 63384fd498cc9ceae8c568c4dd90516f94fabd71
SHA256 d830e987acd57464bcbc3bd538103fddfb4a276f9cb823c1340e3f358189323c
SHA512 7619ac9029a2534849e68b8beb83b60b7192298119666364493f4bdd2c85dfc9dcea85deb6a46051758b8679093e3e8ea30aa36cdf1b1a337b0127d6c28031cd

C:\Users\Admin\AppData\Local\SmartTool Calculator\locales\en-US.pak

MD5 79e4958717489818b667c1338da53063
SHA1 59d832949e80605f396c1e984ae7a2211600de96
SHA256 fa573f6af8fa12f19bf73004b9f130c77bb110b4a3e48aad20eca899e79b6dbb
SHA512 5cb92a60a5da370afcebffa95a0b8e50bf3817b3be3b31f389183d4d283a3f1bb22d0faa1c0547891173b866570d0ad21e384280b685b74269bea6b0bcf1e447

memory/3756-317-0x0000000007240000-0x0000000007241000-memory.dmp

memory/2160-334-0x0000000070540000-0x0000000070C37000-memory.dmp

memory/2160-335-0x0000000070540000-0x0000000070C37000-memory.dmp

memory/2160-336-0x0000000070540000-0x0000000070C37000-memory.dmp

memory/2160-337-0x0000000070540000-0x0000000070C37000-memory.dmp

memory/2160-339-0x0000000070540000-0x0000000070C37000-memory.dmp

memory/2160-342-0x0000000070540000-0x0000000070C37000-memory.dmp

memory/2160-343-0x0000000070540000-0x0000000070C37000-memory.dmp

memory/2160-344-0x0000000070540000-0x0000000070C37000-memory.dmp

memory/2160-346-0x0000000070540000-0x0000000070C37000-memory.dmp

memory/2160-347-0x0000000070540000-0x0000000070C37000-memory.dmp

memory/2160-348-0x0000000070540000-0x0000000070C37000-memory.dmp

memory/2160-349-0x0000000070540000-0x0000000070C37000-memory.dmp