Malware Analysis Report

2025-01-02 07:32

Sample ID 240815-zxjvnsyemm
Target f609255239103210afd42d9f3bc3f530N.exe
SHA256 132c73cbf38ad49574d97500cdd3342721e4bbbe41d9a6b152c8619b95e145ac
Tags
upx floxif backdoor discovery evasion trojan persistence privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

132c73cbf38ad49574d97500cdd3342721e4bbbe41d9a6b152c8619b95e145ac

Threat Level: Known bad

The file f609255239103210afd42d9f3bc3f530N.exe was found to be: Known bad.

Malicious Activity Summary

upx floxif backdoor discovery evasion trojan persistence privilege_escalation

Floxif, Floodfix

Detects Floxif payload

Event Triggered Execution: AppInit DLLs

Checks computer location settings

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 21:05

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 21:05

Reported

2024-08-15 21:07

Platform

win7-20240729-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bootgrabber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Windows\System32\msfeedssync.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\System32\msfeedssync.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Windows\system32\msfeedssync.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\system32\msfeedssync.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe
PID 2128 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe
PID 2128 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe
PID 2128 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe
PID 2008 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe
PID 2008 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe
PID 2008 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe
PID 2008 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe
PID 1648 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Windows\System32\msfeedssync.exe
PID 1648 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Windows\System32\msfeedssync.exe
PID 1648 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Windows\System32\msfeedssync.exe
PID 1648 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bootgrabber.exe
PID 1648 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bootgrabber.exe
PID 1648 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bootgrabber.exe
PID 1648 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bootgrabber.exe
PID 1648 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Windows\system32\msfeedssync.exe
PID 1648 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Windows\system32\msfeedssync.exe
PID 1648 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Windows\system32\msfeedssync.exe
PID 1648 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe
PID 1648 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe
PID 1648 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe
PID 1648 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe
PID 1648 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe
PID 1648 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe
PID 1648 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe
PID 1648 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe
PID 2480 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe
PID 2480 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe
PID 2480 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe
PID 2480 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe
PID 2964 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe
PID 2964 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe
PID 2964 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe
PID 2964 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe

"C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe"

C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe

"C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe" -sfxwaitall:0 "EasyBCD.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe"

C:\Windows\System32\msfeedssync.exe

"C:\Windows\System32\msfeedssync.exe" forcesync

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bootgrabber.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bootgrabber.exe" /tlist

C:\Windows\system32\msfeedssync.exe

msfeedssync.exe sync

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe" /export "C:\Users\Admin\Documents\EasyBCD 백업 (2024-08-15).bcd"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe" /enum all

Network

Country Destination Domain Proto
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 45.33.20.235:80 www.aieov.com tcp
US 45.33.20.235:80 www.aieov.com tcp
US 8.8.8.8:53 api.neosmart.net udp
US 8.8.8.8:53 feeds.neosmart.net udp
GB 18.172.153.50:443 api.neosmart.net tcp
US 65.182.170.12:80 feeds.neosmart.net tcp
US 8.8.8.8:53 rss.neosmart.net udp
US 8.8.8.8:53 www.msn.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.203:443 www.msn.com tcp
FR 216.58.213.83:80 rss.neosmart.net tcp
GB 95.100.245.144:443 www.microsoft.com tcp
GB 95.100.245.144:443 www.microsoft.com tcp
US 8.8.8.8:53 rssgov.windows.microsoft.com udp
GB 173.222.211.32:80 rssgov.windows.microsoft.com tcp
US 65.182.170.12:80 feeds.neosmart.net tcp
FR 216.58.213.83:80 rss.neosmart.net tcp
US 45.33.20.235:80 www.aieov.com tcp
US 8.8.8.8:53 rss.msn.com udp
GB 2.18.108.19:443 rss.msn.com tcp
US 45.33.20.235:80 www.aieov.com tcp
US 45.33.20.235:80 www.aieov.com tcp
US 45.33.20.235:80 www.aieov.com tcp
US 45.33.20.235:80 www.aieov.com tcp
US 45.33.20.235:80 www.aieov.com tcp
US 45.33.20.235:80 www.aieov.com tcp
US 45.33.20.235:80 www.aieov.com tcp
US 45.33.20.235:80 www.aieov.com tcp
US 45.33.20.235:80 www.aieov.com tcp

Files

\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/2128-0-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2128-4-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2128-6-0x000000000042F000-0x0000000000430000-memory.dmp

memory/2008-102-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2008-103-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe

MD5 e478c92160a3c73c77cdc9f515dfd8b0
SHA1 f0fa230f8c26bcbddc3b68f38ce0793d46c0ca2b
SHA256 6a6e16c176004128b918ef3f9ecf1d51d828e6099fba6542b5ac6abdb67c1030
SHA512 3682b4f5bc31cd056c3f552da657309093e35b4757c073a223385c04765f622ce9ee000fb5dbc950c68ad7913ffdcc831ef65bd5ed7241f6179ea375b17be822

\??\c:\users\admin\appdata\local\temp\7zipsfx.000\bin\udefrag-kernel.dll

MD5 eb4d6b8cfc5ab065fd9558a880f698fe
SHA1 7067d2f6e2eb64f7de1a7d88c6e6dcd779243fa7
SHA256 fd23026187389972d4712d8d4bafbb05cd138cba42f08c7cc3fb92a757eb6aa4
SHA512 66742440641201df6cf0b78a3b5242f33bb02f1258a7472ce5aaa3cd4b01e505d5d3ebafcf47ea0251068120b08ba786424d7de4c5512ceac3b7a4869a74c144

\??\c:\users\admin\appdata\local\temp\7zipsfx.000\Starter.exe

MD5 a0d0ac258d1dae37796cf329e3a2057c
SHA1 a706427da4489ad01d4b56ccba243c1243ee14c7
SHA256 d5176fe2c55314c2ede8fbab24d641cbe03ee372c2fb709178b5984baa1bff2b
SHA512 4f5cd5bd5f695dfe6229457195bf2126abe3ccb0f08311143dba5b0fac251f0b3602fc62fd86d03a4b1a501e985b40073f4e8f6ff5e58d79ddd7fa28740ed562

\??\c:\users\admin\appdata\local\temp\7zipsfx.000\Newtonsoft.Json.dll

MD5 0953851089821550ef013b487da3915a
SHA1 7b4dfb7d547404fb6f3cc561d9475209aa2c6172
SHA256 4a56ef352f84ad19c1b4486c7c9e64fef9a67c464c62e51bababa79cd2d89551
SHA512 4a41a97527604042e1d28e2869aac1dea79da372ffc7e211415e45e4212a853971731cf4fc9595d81c4f4b824f8e7441c2ad6f2641d053cd783b264c83c29e86

\??\c:\users\admin\appdata\local\temp\7zipsfx.000\NeoSmart.Localization.dll

MD5 ad0a59ae87d4ba106e965c62f0bc3d88
SHA1 5b39b6fd95b5bee72a17d79a1f4958256a5c4149
SHA256 3a56005b2efb34620019ef432fe90eeb63726fc78b37be841f25c2aed82eb1db
SHA512 562b2cbd3fdbbb71dee9fdb68bd24b9bbf27beab93de338a616baec837910f31ad3b13d75564d45a1cca26e1150517b47d0b3984bae7d08675593bde22bbea98

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe.config

MD5 3379ac7243adcfa51a02295dbedc956a
SHA1 469bbae4b1844832809196c89f198029beef4af8
SHA256 7ec2512b59e62a3aeb0a1025bf152a31291e17e7e469ce18efae153064665b03
SHA512 08d7101b21b87e11aff79cd8b47ec3ba2878cf72406e4d59771531ce6098609f8340607cd8b9ae0721c56f8fba5927c93f0412f0042879f04f2cd223d82430a4

memory/1648-112-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

memory/1648-113-0x0000000000B70000-0x0000000000C66000-memory.dmp

memory/1648-114-0x00000000009A0000-0x00000000009AC000-memory.dmp

memory/1648-115-0x0000000000AC0000-0x0000000000B34000-memory.dmp

memory/1648-118-0x0000000002070000-0x00000000020B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\properties.xml

MD5 06eaea5b0972b869dc5c643ecbb2fcfe
SHA1 05e31974657b1d5ba89f0709a009b2b8233ebcf2
SHA256 f2b7e9d7e1dafe9335b53e39fd8570968358f4f0a3426012f0a510b1f7fec26d
SHA512 38b5cd2f7c762ff922a02389992bb1b77da9fbd6628873e156a152c5d31c46f6ac5e431198624e4d29ba0960b9467e6a8972e826e272c6e655ed1fbdaa88c0f3

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\AboutBox.xml

MD5 883eb174fb50732863fcb223bb689630
SHA1 85421afa904951f836275f6d9434970d099b419b
SHA256 c837c908319881a9781e454d6a8e6e91606fede069b5c9296ba121dafecf7a79
SHA512 10db1a874ff6fb34ec95f3f85c7390905fd1810fecad918f791a3a6b8dde4699c436dc3a3fa07069008d521dad214b44693b5607b13626f85cd16c62d0c1c495

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\EasyBCD.xml

MD5 b1c31e3485b654f3687043e4fcc0b53f
SHA1 eae95c89e1f0a9485511e5a415fea3757411b193
SHA256 a3a4eab70f088585ea57c4f278a848d22757c2b2cfb6d1c53c881b332c02379e
SHA512 531146d2681967f884b68ff5167ef6c06b311c6c6ba9649cdb3059794cd082e80d1f414f7de040711179608fb28f3d12fc8c00bbace9fdc38f7b1190a1d676e0

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\DriveSelect.xml

MD5 dd35c3a5a530e2eec685855d2d3a37bb
SHA1 5fc3a189aaca5df055bb230744e5fbe91ebf8f74
SHA256 9be6ef8e6644e87c68718df8f3f3dacfd760d6d8b6d51a4ea84dbdaa6ab68db4
SHA512 8b8dc2ce8112439461e0f3c99e6bccc98088bdbcba452152b2356b34e6660709f462238ed0a90e55e58211f9705235c24f820521ee6882fcc8e4a3923d53d190

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\LicenseDialog.xml

MD5 8acbb0cb7057a9dce9f9c7505e9797b4
SHA1 07dcab47155264545641f2e60213775ad2b3a295
SHA256 f6851389f78a8b845b903cb42cd23c389368fcdaa9380e8e9573c629c11959ad
SHA512 c8cef019b2081b4ab2229a6874be38d35cdccff71973e5d00686eb914b3c5effbbf8397b372eef7b8e8136e5fbc0f8e5e5ba7d4abfc96118a6789ace552f2069

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\MainUI.xml

MD5 c1c82f45c3129dfbed570e515532e2d6
SHA1 ccd3fbe9b7716ca344e67242311751af2fce2cbb
SHA256 8cce773649c3d42bd0a65f4fe7c64364fe67dac8540ebdf5428b91a348768bf2
SHA512 b5291539b48a3cb5ed2d5b6e27e8d6950c729837d9b8640c23926a787fca0ae8e24b14b9340ec08aad8220f88e0e572f411f38e27b980c2aea17f10c5ebd51f4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\SdiMaker.xml

MD5 684490c4336716dd4148ecf789c26121
SHA1 3f194d47c8b9185ae96fdbef46e56088f7d3fd8a
SHA256 9c65c1b4d2b0078d0a035ed2496978fe25ed9483922ff3f35dc8b077ffc97eee
SHA512 7f456d84dc62b279f00870299f60ca1a3d4a2fe84d68db55ec99d3a1ab2b4206551f9702d7df233681e1cb836d778c47141e69717e2871d623245fbcdbddb904

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\ProgressDialog.xml

MD5 f6d1c497ca3b282fec8cb468e056378a
SHA1 25e217a29a3345df6dc992b996805ea6b77824be
SHA256 373f68416d333cc97dc74a00bab8ada24ed861e621e0dded0edd92dbe3855341
SHA512 a45a9d98ed6f04566c4f305ef72e2046a585b4e1c8ab5f0d9865ad00b388b162ec68155f051e4c7b94989abff12208cc9370e096b35216aeedc8089c6487f10e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\OptionsDialog.xml

MD5 9fb4355e9719fe7f36b5e449161382b7
SHA1 d98e4ed815676f90c66535f0e3d78d1e9b17ed62
SHA256 d51e336d8fd980e4afe130f93cb39c393e5646aaa64b4961975f78cdfca87565
SHA512 5718ebc206ead911aecffaaa4328721fc96fa8403f12a573fc8a012151108f59344afc7375240da2f197e90fade3bb642c49f36494ee8d0517b1c20cf7c29d59

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\LanguageDialog.xml

MD5 dfc7dd6dd71c4ef40c9beec4b62a8ef4
SHA1 a1b4a01a4757ce8a5d8c87444b3b8f71a6634ede
SHA256 e5c2e1197b9179f3960b347ccb1b1837148b540f35ba8c2a6550631061a886f6
SHA512 a40bf12014d1a251fa55115f81baf6622a3c34b2ffdc1205f1526e5590782af44bd5b601e8e472c0e611a7a2c34b1cfb4db01fc4882d78baa690cc08ae81983e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\EasyRE.xml

MD5 ae8bb0e9b6e218a10be54da5899ae3e9
SHA1 665b44075d862e91da038501a43c64c3e5fa5f56
SHA256 a10925561a251b5e3462f979478147b7e8d4e739d7f38038ff1ca0d516204ec3
SHA512 7dd872b115e0122dc837eb21a095597a12366151f9ee7bfc82efc4b4fdd83f5fd8b0ed1f2a4d529c0880f009f52e0012001bfccef66567b5bd25d352ff0cb2e4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\DonationDialog.xml

MD5 1f6859a48903f308639e03ba3284e7f5
SHA1 be6cc001a5a4dcd8e04aefcb124889fb51a58a5d
SHA256 318667ac37efbc88e9ef7e984e2caec11cc8b16b454c07adcd133784ac123f2e
SHA512 41eb5afd8d7aa78298825b25b669016f2695e478f5e57748f0c8d2e0dc4d4de105e74f62b3ff69c4554d16f944e625cd81c43d812c0f86f0b99d5f1a5b74d5c2

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\DefragDialog.xml

MD5 8500ee43f1b0ea2a47a9637377902a7e
SHA1 69399c69041561fd018e4c0dd6c50b00a14ca242
SHA256 7084593701e3d7f0aceffb6b5d63bec611d103e41850d26ec90b2fd4a7944d98
SHA512 966d96e82aed98c90c702f6233e1372c4bc48fcfe8ae6e22324960476607e952b556894e6daba9527cb05244fa3cab1d486eed9c8a5e21dd69b25230b6e48c6a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\BcdLibrary.xml

MD5 219c12bbd4390df75ac7f6adcb5aff3d
SHA1 ca05e39b1b60fe53f5a4e2082197df4292618e39
SHA256 534a14891db815a7728a8bfd7d683584b39d118a7bca2e5323a3ae5e5e2479f2
SHA512 e7b0cc131641ecac16fca753309aa3c7db160baa4fa96f05d1f5f791d9e0050546e9cdf89a1c35ece021b9adfcc88b8b59e83b47c5536c0de838a4655f6cfc25

memory/2128-133-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2128-135-0x0000000010000000-0x0000000010030000-memory.dmp

\??\c:\program files\common files\system\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

memory/1648-139-0x0000000002240000-0x0000000002250000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms

MD5 25d1e6bc0ddde8980bc3d397a97fdcb2
SHA1 55f2dab5a589e17b5ae5e38ee3d485ed0e5be649
SHA256 f7ebaa71d0ab66ec6d1f357ef344e968139ccf989cc3959f6a5cd788003d4d7f
SHA512 c7512bd9f705c99c4c8fea9401e4f0448745b164104f44ad3fe642cd6e27ec4decdba856beb7c9018b38cc467c9bc802324f0c716ad666bc80ae7c32c25cfb15

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\BootGrabber.exe

MD5 2e12b37d32c8bcf8920f5ebb6d24a6b9
SHA1 7fcd9e4ebfa2c400d6340133440c087e56a3c9e6
SHA256 f9842333f0b562b4ab5349a09fc173b0b2971c1f600502c4284781c78a735d7e
SHA512 aa82f1ed984174a1b5a610eb28a422da6172dd027678d9d4b7a9714e85e050616403ad294a005ad1ab39032758a4d2fd8d498b1241dedda8c91698ffc7d3c527

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe

MD5 5b40791899fa37507e7c08bc3d9f5294
SHA1 cb98852ec22251b5124507427d05b3dfe7ec53a7
SHA256 5a87d9485f6e13ee2c3ba4ac289a3e237d17a43ed428b8a5bd5f00fc4800d1ac
SHA512 d2c0de00943d7e9961571a8e798688e46a8e7267086e15abaae8abca0fa7aedd02d5df3c5eb3dc6cfab0c5982694129bf5b9c0cb5d8e978fec0d76d54e441390

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe

MD5 a60cbaea0f8ac802d21c0cc7bc2589be
SHA1 f4c1f4b7f340968ba9c360f3fc1ef783a8bc7b2a
SHA256 8bf1b71182fed18d6b4112bdc4d496800b5bf6681de4c4f6536ba67378f38a12
SHA512 24ab704e214758b9318a333bb3a466a05e4218fbef70752b266d782e5fe89de19db8e5d5a584245fcc6aaf32ea99a0764583b3cc56299e99a2b7cf6ec42c2ccb

C:\Users\Admin\AppData\Local\Temp\Cab9B09.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar9B1C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df7e7aa087cd40e96e840f0c668efeb1
SHA1 55c63124feb24292b96f92c1fe6c1e5b118388e4
SHA256 3e0ce3b6084c1813bff46afe05e4a62803d3178f0fb0f391ff62c4214be48327
SHA512 2798d494c05b1367db6995ae1ebd898be4aa4e13f9743b8d99f33e0e175065abc9f2326db684558bd54bedc0fad7faec23b4de85cbdb7961447862604f74ec27

memory/2008-194-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 877437e4fa491e2d57c2663330c10b3d
SHA1 0dd7faa6e52c1c6e09495da9cd46681de9280f07
SHA256 d25be21c089fedd326aa1480924974a10b22a1db164ea25eca5fe16553897b8c
SHA512 88268dd2e4d50b342871857a5d7ad254f8c49683a8d7138e9a1170b355d2f7535351142c3c9038712b555ce66f1a1450f7c044c28613b4fd830dd0c4ecf1a534

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 67a5af3a75186c1d5cb5f8667bd2597b
SHA1 698604ab29226d1b1c621d0d3489a4785d85a93e
SHA256 1d28e47079f98783115773266e4b53fae4e777b8139abcb261194b3cd18ee518
SHA512 ceba15adbe1527b668b30058031c7422d539911c4aa725efd390a3a9e2c9a9d17f285f8666fa589159aff7d1427b1ff8bf45eda0d62a07a75e4375e92a3c2ae8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b40424dde9c18b827f8417180c5d656f
SHA1 5e3281f3f1ff334789b289441b7803e18ef9362a
SHA256 c7294747a3610d0cc0885d2c1cb160b4a67727dc11692115c5942f364cb55ab9
SHA512 eb9cb1901e7f49bca8a54249445ccd3185e126f2030d003de24706b93c589e988a2da0ab279e71ce05d9d5c56e4485bab3679527aeabd83897e9552a63ff08ae

C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms

MD5 2c93e151c3dd54bb01d2b1148e0eeaf7
SHA1 8b73b4288aa326c7a5762ca07e82a6cee16909e7
SHA256 3bd2c3c8685c77bc5e20a0d191fc2fc8c3546ebf79b9abe61879021b0daa2178
SHA512 86b92b780fb79507282ea108227bd689ace1b74266d08afea14a2df890249743ff054e5fbf77c6faafe65fd8964f305d3355c5f04e316f42139bdca27beb0077

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 87f8a7a230fcb02a42367dff956964ca
SHA1 de7022087f834d8b74b440713e14cd1024616662
SHA256 d8e94cae6819c125f40a549024eacafe3240ec9d811a6e0799cc14a7e289a0f5
SHA512 1af3337f2f0e9569f6f7beda22525dbfc03a2b82eaf50156ad1a5009f2c85cd177faaefdc110234feded030ab241989e513977e245f3a7a3ff38294f50b7af3f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1cc63c721d6e8e5369d6b9b899c43e86
SHA1 e7b452edb7c1e7fe8ec613a7d846a9d70802a4ea
SHA256 5058382518f1b05cf88c99abbbcc4cc1100a719e09983809fa9ef71c45389267
SHA512 65c8e6f81874438a9869a7079a9f55f2597edffa8bedbd16fede89ff0085088d50b79d11784df3cc35f5500823a5fc92e6a2221f18e1e950a6b383b3431a36c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f8ef98a0609e13bd180e298ebab58cf
SHA1 7175b9b4d3b2b7f5da6877aacfe554a715e47fc6
SHA256 8625b7856961eb0ce4dbc0e38eff1741812e93a52730ca27fab383ba43ff6089
SHA512 6a6a20145762f9ff408de55f9a688cbc5799e35e8f46ec3fa7d33f46be7f24a26cc17983a1e5333a9bd77c3c215f5eca4929991f2234b1d0f69b192a27be3b72

memory/1648-430-0x00000000235C0000-0x000000002363C000-memory.dmp

memory/2008-541-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Feeds\The NeoSmart Files~.feed-ms

MD5 eee41316c6522cf4ac100dbc732c59a1
SHA1 a29324e49f0359a1f3a215200224fd9830651b0e
SHA256 7b14f7b39c86b65e36b39b0cfaf8149dc1a63d1f49df6147f4d1c9c0960bccec
SHA512 1898c1d5310494eb81a0a39b508ff8bef41a33f5c8513d59422ec6ba7ee85a2029a27138642c363345c9658bd7448b17238c1b79aa2712e9aed18a8a64bd3d4d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3a0f705f9fc7fb48f30cc3765b9b208
SHA1 df9a8911738f374c1af65c1a68140496e84ab18d
SHA256 8f5d04218b49775d690f5640c03a977a8b3e39588740c4091973437bd0e90a4d
SHA512 ddf1b968c885a407853cb32e9365b5cd9b7ab1809c390402a2ca52a2a141a1c516ee770d5d45810dcf114197a8fce5d8d2aef616def919df25f3fb720246c114

memory/2128-682-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1648-685-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

memory/2008-684-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms

MD5 c1b046950ed234122b7ff1d73ab41488
SHA1 c0679eef7f012cf8e2ac0222d95a3dd8d47e2096
SHA256 ddb4aa62393d650532eebc4611401bcb867e2f1cba773021246ce5460cda1ebd
SHA512 7ff36887ad89a487efde65ca982bf181744b9a97df17a92ff18744627e63b774c7e37018e41d58d602ee89975e25ce67517c3b1eb180c4f5e541906bcfcbe601

memory/2128-1012-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2128-1018-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2008-1021-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2128-1025-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2128-1031-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2128-1036-0x0000000010000000-0x0000000010030000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 21:05

Reported

2024-08-15 21:07

Platform

win10v2004-20240802-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe N/A
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bootgrabber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Windows\System32\msfeedssync.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\System32\msfeedssync.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Windows\system32\msfeedssync.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\system32\msfeedssync.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe
PID 2916 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe
PID 2916 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe
PID 216 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe
PID 216 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe
PID 1336 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bootgrabber.exe
PID 1336 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bootgrabber.exe
PID 1336 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bootgrabber.exe
PID 1336 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Windows\System32\msfeedssync.exe
PID 1336 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Windows\System32\msfeedssync.exe
PID 1336 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Windows\system32\msfeedssync.exe
PID 1336 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Windows\system32\msfeedssync.exe
PID 1336 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe
PID 1336 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe
PID 1336 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe
PID 1336 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe
PID 1336 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe
PID 1336 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe
PID 4544 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe
PID 4544 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe
PID 4544 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe
PID 4940 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe
PID 4940 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe
PID 4940 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe

"C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe"

C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe

"C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe" -sfxwaitall:0 "EasyBCD.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bootgrabber.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bootgrabber.exe" /tlist

C:\Windows\System32\msfeedssync.exe

"C:\Windows\System32\msfeedssync.exe" forcesync

C:\Windows\system32\msfeedssync.exe

msfeedssync.exe sync

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe" /export "C:\Users\Admin\Documents\EasyBCD 백업 (2024-08-15).bcd"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe" /enum all

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 www.aieov.com udp
US 204.79.197.237:443 g.bing.com tcp
US 45.33.2.79:80 www.aieov.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.2.33.45.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 45.33.2.79:80 www.aieov.com tcp
US 8.8.8.8:53 api.neosmart.net udp
US 8.8.8.8:53 feeds.neosmart.net udp
GB 18.172.153.28:443 api.neosmart.net tcp
US 65.182.170.12:80 feeds.neosmart.net tcp
US 65.182.170.12:80 feeds.neosmart.net tcp
US 8.8.8.8:53 28.153.172.18.in-addr.arpa udp
US 8.8.8.8:53 12.170.182.65.in-addr.arpa udp
US 8.8.8.8:53 rss.neosmart.net udp
FR 216.58.213.83:80 rss.neosmart.net tcp
FR 216.58.213.83:80 rss.neosmart.net tcp
US 8.8.8.8:53 83.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 45.33.2.79:80 www.aieov.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 45.33.2.79:80 www.aieov.com tcp
US 45.33.2.79:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 45.33.2.79:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2916-0-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/2916-4-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2916-6-0x000000000042F000-0x0000000000430000-memory.dmp

memory/216-105-0x0000000010000000-0x0000000010030000-memory.dmp

memory/216-107-0x0000000001FF0000-0x0000000002020000-memory.dmp

memory/216-106-0x0000000001FF0000-0x0000000002020000-memory.dmp

memory/216-104-0x0000000000400000-0x0000000000443000-memory.dmp

memory/216-108-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe

MD5 e478c92160a3c73c77cdc9f515dfd8b0
SHA1 f0fa230f8c26bcbddc3b68f38ce0793d46c0ca2b
SHA256 6a6e16c176004128b918ef3f9ecf1d51d828e6099fba6542b5ac6abdb67c1030
SHA512 3682b4f5bc31cd056c3f552da657309093e35b4757c073a223385c04765f622ce9ee000fb5dbc950c68ad7913ffdcc831ef65bd5ed7241f6179ea375b17be822

memory/1336-112-0x00007FFB5C6B3000-0x00007FFB5C6B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe.config

MD5 3379ac7243adcfa51a02295dbedc956a
SHA1 469bbae4b1844832809196c89f198029beef4af8
SHA256 7ec2512b59e62a3aeb0a1025bf152a31291e17e7e469ce18efae153064665b03
SHA512 08d7101b21b87e11aff79cd8b47ec3ba2878cf72406e4d59771531ce6098609f8340607cd8b9ae0721c56f8fba5927c93f0412f0042879f04f2cd223d82430a4

memory/1336-113-0x00000000003E0000-0x00000000004D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NeoSmart.Localization.dll

MD5 ad0a59ae87d4ba106e965c62f0bc3d88
SHA1 5b39b6fd95b5bee72a17d79a1f4958256a5c4149
SHA256 3a56005b2efb34620019ef432fe90eeb63726fc78b37be841f25c2aed82eb1db
SHA512 562b2cbd3fdbbb71dee9fdb68bd24b9bbf27beab93de338a616baec837910f31ad3b13d75564d45a1cca26e1150517b47d0b3984bae7d08675593bde22bbea98

memory/1336-115-0x0000000002460000-0x000000000246C000-memory.dmp

memory/1336-116-0x00007FFB5C6B0000-0x00007FFB5D171000-memory.dmp

memory/1336-117-0x000000001B2F0000-0x000000001B364000-memory.dmp

memory/1336-120-0x000000001C080000-0x000000001C0C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\properties.xml

MD5 06eaea5b0972b869dc5c643ecbb2fcfe
SHA1 05e31974657b1d5ba89f0709a009b2b8233ebcf2
SHA256 f2b7e9d7e1dafe9335b53e39fd8570968358f4f0a3426012f0a510b1f7fec26d
SHA512 38b5cd2f7c762ff922a02389992bb1b77da9fbd6628873e156a152c5d31c46f6ac5e431198624e4d29ba0960b9467e6a8972e826e272c6e655ed1fbdaa88c0f3

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\LanguageDialog.xml

MD5 dfc7dd6dd71c4ef40c9beec4b62a8ef4
SHA1 a1b4a01a4757ce8a5d8c87444b3b8f71a6634ede
SHA256 e5c2e1197b9179f3960b347ccb1b1837148b540f35ba8c2a6550631061a886f6
SHA512 a40bf12014d1a251fa55115f81baf6622a3c34b2ffdc1205f1526e5590782af44bd5b601e8e472c0e611a7a2c34b1cfb4db01fc4882d78baa690cc08ae81983e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\SdiMaker.xml

MD5 684490c4336716dd4148ecf789c26121
SHA1 3f194d47c8b9185ae96fdbef46e56088f7d3fd8a
SHA256 9c65c1b4d2b0078d0a035ed2496978fe25ed9483922ff3f35dc8b077ffc97eee
SHA512 7f456d84dc62b279f00870299f60ca1a3d4a2fe84d68db55ec99d3a1ab2b4206551f9702d7df233681e1cb836d778c47141e69717e2871d623245fbcdbddb904

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\ProgressDialog.xml

MD5 f6d1c497ca3b282fec8cb468e056378a
SHA1 25e217a29a3345df6dc992b996805ea6b77824be
SHA256 373f68416d333cc97dc74a00bab8ada24ed861e621e0dded0edd92dbe3855341
SHA512 a45a9d98ed6f04566c4f305ef72e2046a585b4e1c8ab5f0d9865ad00b388b162ec68155f051e4c7b94989abff12208cc9370e096b35216aeedc8089c6487f10e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\MainUI.xml

MD5 c1c82f45c3129dfbed570e515532e2d6
SHA1 ccd3fbe9b7716ca344e67242311751af2fce2cbb
SHA256 8cce773649c3d42bd0a65f4fe7c64364fe67dac8540ebdf5428b91a348768bf2
SHA512 b5291539b48a3cb5ed2d5b6e27e8d6950c729837d9b8640c23926a787fca0ae8e24b14b9340ec08aad8220f88e0e572f411f38e27b980c2aea17f10c5ebd51f4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\OptionsDialog.xml

MD5 9fb4355e9719fe7f36b5e449161382b7
SHA1 d98e4ed815676f90c66535f0e3d78d1e9b17ed62
SHA256 d51e336d8fd980e4afe130f93cb39c393e5646aaa64b4961975f78cdfca87565
SHA512 5718ebc206ead911aecffaaa4328721fc96fa8403f12a573fc8a012151108f59344afc7375240da2f197e90fade3bb642c49f36494ee8d0517b1c20cf7c29d59

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\LicenseDialog.xml

MD5 8acbb0cb7057a9dce9f9c7505e9797b4
SHA1 07dcab47155264545641f2e60213775ad2b3a295
SHA256 f6851389f78a8b845b903cb42cd23c389368fcdaa9380e8e9573c629c11959ad
SHA512 c8cef019b2081b4ab2229a6874be38d35cdccff71973e5d00686eb914b3c5effbbf8397b372eef7b8e8136e5fbc0f8e5e5ba7d4abfc96118a6789ace552f2069

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\EasyRE.xml

MD5 ae8bb0e9b6e218a10be54da5899ae3e9
SHA1 665b44075d862e91da038501a43c64c3e5fa5f56
SHA256 a10925561a251b5e3462f979478147b7e8d4e739d7f38038ff1ca0d516204ec3
SHA512 7dd872b115e0122dc837eb21a095597a12366151f9ee7bfc82efc4b4fdd83f5fd8b0ed1f2a4d529c0880f009f52e0012001bfccef66567b5bd25d352ff0cb2e4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\EasyBCD.xml

MD5 b1c31e3485b654f3687043e4fcc0b53f
SHA1 eae95c89e1f0a9485511e5a415fea3757411b193
SHA256 a3a4eab70f088585ea57c4f278a848d22757c2b2cfb6d1c53c881b332c02379e
SHA512 531146d2681967f884b68ff5167ef6c06b311c6c6ba9649cdb3059794cd082e80d1f414f7de040711179608fb28f3d12fc8c00bbace9fdc38f7b1190a1d676e0

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\DonationDialog.xml

MD5 1f6859a48903f308639e03ba3284e7f5
SHA1 be6cc001a5a4dcd8e04aefcb124889fb51a58a5d
SHA256 318667ac37efbc88e9ef7e984e2caec11cc8b16b454c07adcd133784ac123f2e
SHA512 41eb5afd8d7aa78298825b25b669016f2695e478f5e57748f0c8d2e0dc4d4de105e74f62b3ff69c4554d16f944e625cd81c43d812c0f86f0b99d5f1a5b74d5c2

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\DriveSelect.xml

MD5 dd35c3a5a530e2eec685855d2d3a37bb
SHA1 5fc3a189aaca5df055bb230744e5fbe91ebf8f74
SHA256 9be6ef8e6644e87c68718df8f3f3dacfd760d6d8b6d51a4ea84dbdaa6ab68db4
SHA512 8b8dc2ce8112439461e0f3c99e6bccc98088bdbcba452152b2356b34e6660709f462238ed0a90e55e58211f9705235c24f820521ee6882fcc8e4a3923d53d190

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\DefragDialog.xml

MD5 8500ee43f1b0ea2a47a9637377902a7e
SHA1 69399c69041561fd018e4c0dd6c50b00a14ca242
SHA256 7084593701e3d7f0aceffb6b5d63bec611d103e41850d26ec90b2fd4a7944d98
SHA512 966d96e82aed98c90c702f6233e1372c4bc48fcfe8ae6e22324960476607e952b556894e6daba9527cb05244fa3cab1d486eed9c8a5e21dd69b25230b6e48c6a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\AboutBox.xml

MD5 883eb174fb50732863fcb223bb689630
SHA1 85421afa904951f836275f6d9434970d099b419b
SHA256 c837c908319881a9781e454d6a8e6e91606fede069b5c9296ba121dafecf7a79
SHA512 10db1a874ff6fb34ec95f3f85c7390905fd1810fecad918f791a3a6b8dde4699c436dc3a3fa07069008d521dad214b44693b5607b13626f85cd16c62d0c1c495

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lang\en-US\BcdLibrary.xml

MD5 219c12bbd4390df75ac7f6adcb5aff3d
SHA1 ca05e39b1b60fe53f5a4e2082197df4292618e39
SHA256 534a14891db815a7728a8bfd7d683584b39d118a7bca2e5323a3ae5e5e2479f2
SHA512 e7b0cc131641ecac16fca753309aa3c7db160baa4fa96f05d1f5f791d9e0050546e9cdf89a1c35ece021b9adfcc88b8b59e83b47c5536c0de838a4655f6cfc25

memory/2916-136-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2916-137-0x0000000010000000-0x0000000010030000-memory.dmp

memory/216-138-0x0000000000400000-0x0000000000443000-memory.dmp

memory/216-144-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\BootGrabber.exe

MD5 2e12b37d32c8bcf8920f5ebb6d24a6b9
SHA1 7fcd9e4ebfa2c400d6340133440c087e56a3c9e6
SHA256 f9842333f0b562b4ab5349a09fc173b0b2971c1f600502c4284781c78a735d7e
SHA512 aa82f1ed984174a1b5a610eb28a422da6172dd027678d9d4b7a9714e85e050616403ad294a005ad1ab39032758a4d2fd8d498b1241dedda8c91698ffc7d3c527

memory/216-145-0x0000000001FF0000-0x0000000002020000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms

MD5 0ed2c3c11fce80392dc4512ca32c231e
SHA1 c3d5bd09d1d91d5138583067fdb38588227706ee
SHA256 228def8d2cec66202626d3b1d84b3987946c8e84ebc2672a9bb235be9d1727a5
SHA512 ed6e40546388c899a29cd690a4db338958f2961617d208cd57f27d11af802fa141c63aefde2b6ba3f6eecd57008e418ca21aff3094affbcd47698c824e55040d

C:\Users\Admin\AppData\Local\Microsoft\Feeds\The NeoSmart Files~.feed-ms

MD5 5994bbf9ebd5de5752ada025fea2da5b
SHA1 ec214ca41de4ca85cb9b491dc3ae89a3d1204f3b
SHA256 c31a90b6760ae602b58cf7dd666643e0b2ebced6585dbd9a11f7535a11e4cfb9
SHA512 29e485e9c3be955f2929840c4d845f2fa1fca2a84f1e342cd3c9d2a8d831ccf183ca6c9949207db4cd037c1860f5f3c72b83bf773af499f999b35b1c39864b73

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe

MD5 5b40791899fa37507e7c08bc3d9f5294
SHA1 cb98852ec22251b5124507427d05b3dfe7ec53a7
SHA256 5a87d9485f6e13ee2c3ba4ac289a3e237d17a43ed428b8a5bd5f00fc4800d1ac
SHA512 d2c0de00943d7e9961571a8e798688e46a8e7267086e15abaae8abca0fa7aedd02d5df3c5eb3dc6cfab0c5982694129bf5b9c0cb5d8e978fec0d76d54e441390

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe

MD5 a60cbaea0f8ac802d21c0cc7bc2589be
SHA1 f4c1f4b7f340968ba9c360f3fc1ef783a8bc7b2a
SHA256 8bf1b71182fed18d6b4112bdc4d496800b5bf6681de4c4f6536ba67378f38a12
SHA512 24ab704e214758b9318a333bb3a466a05e4218fbef70752b266d782e5fe89de19db8e5d5a584245fcc6aaf32ea99a0764583b3cc56299e99a2b7cf6ec42c2ccb

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Newtonsoft.Json.dll

MD5 0953851089821550ef013b487da3915a
SHA1 7b4dfb7d547404fb6f3cc561d9475209aa2c6172
SHA256 4a56ef352f84ad19c1b4486c7c9e64fef9a67c464c62e51bababa79cd2d89551
SHA512 4a41a97527604042e1d28e2869aac1dea79da372ffc7e211415e45e4212a853971731cf4fc9595d81c4f4b824f8e7441c2ad6f2641d053cd783b264c83c29e86

memory/1336-164-0x0000000027C50000-0x0000000027CCC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms

MD5 0d1e37696eb05598cda87b11ea1cefd1
SHA1 cd4e34b129f3c42c5de29511e0dbd13da5889d7d
SHA256 6fcb4a04d079fe33dfbbcc3bbbe2a72bc5e714944cb1a7545eaa15f37688e7d6
SHA512 e23773d059bec157c22edc9e571e4ba828ef047463324c2b8e2855c76c78533b95c1bb5b54379de93641a7d234eba7504bef2c206af0f60105e154abd3689dfc

C:\Users\Admin\AppData\Local\Microsoft\Feeds\The NeoSmart Files~.feed-ms

MD5 de714e975c77ac283dabbffd1cad2ede
SHA1 8208101d4980a4e5bf0b53ad53379b214a87e0dd
SHA256 19a9fcdb9bd3ef139efa2eaaa76996234ce5248386faec5e0592beb42dc5074a
SHA512 dfb8277dac184e502daf0b494f0275b8e8b44794ab61ddeb218b9b93037f3bcc4e86b253648dc66db8c67cd6783e5da5d311bd6d840c02e4a2cef9d6c7e8a4cc

memory/216-168-0x0000000001FF0000-0x0000000002020000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Feeds\The NeoSmart Files~.feed-ms

MD5 9ee93f369f840b313e656aff58fe43b2
SHA1 cd698187748821f98538f36c49e55acb2f5e602e
SHA256 17b099098f436417629f0cebeb445f0fdcea82bc570d3e5ba8c0829189a7e9cd
SHA512 439bd46c50800ae4740779c147817fef2c1bb42e7d1bd5587083a0c042e771e7d833cc489289cf24cab0c56be85e98f8b9271db4b2bcde9cfcb2d29d546aaadc

memory/2916-179-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1336-180-0x00007FFB5C6B3000-0x00007FFB5C6B5000-memory.dmp

memory/216-182-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1336-183-0x00007FFB5C6B0000-0x00007FFB5D171000-memory.dmp

memory/2916-189-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

memory/2916-197-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2916-221-0x0000000010000000-0x0000000010030000-memory.dmp