Analysis Overview
SHA256
9a303e830a991a9c14a70ecad4b52575b3ed0402d88aa2ff65acc5b776aeaeb7
Threat Level: Known bad
The file ab1584a0064fc4a6132e8ae530bf2a27.exe was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
Djvu Ransomware
Detects Smokeloader packer
IcedID, BokBot
Aurora
SmokeLoader
Vidar
DcRat
Downloads MZ/PE file
Executes dropped EXE
Reads user/profile data of web browsers
Modifies file permissions
Loads dropped DLL
Checks computer location settings
Accesses 2FA software files, possible credential harvesting
Looks up external IP address via web service
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-10 02:56
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-10 02:56
Reported
2023-01-10 02:58
Platform
win10v2004-20221111-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Aurora
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\ab1584a0064fc4a6132e8ae530bf2a27.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\423cf4da-4e8a-43ae-bcea-e06663ca0814\\4D46.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\4D46.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
IcedID, BokBot
SmokeLoader
Vidar
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\ab072e5f-2f14-49de-be7c-832eed203752\build2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4F99.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4D46.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4D46.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ab072e5f-2f14-49de-be7c-832eed203752\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ab072e5f-2f14-49de-be7c-832eed203752\build2.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\423cf4da-4e8a-43ae-bcea-e06663ca0814\\4D46.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\4D46.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1472 set thread context of 1460 | N/A | C:\Users\Admin\AppData\Local\Temp\4D46.exe | C:\Users\Admin\AppData\Local\Temp\4D46.exe |
| PID 4212 set thread context of 4672 | N/A | C:\Users\Admin\AppData\Local\Temp\4D46.exe | C:\Users\Admin\AppData\Local\Temp\4D46.exe |
| PID 4728 set thread context of 3804 | N/A | C:\Users\Admin\AppData\Local\Temp\4F99.exe | C:\Users\Admin\AppData\Local\Temp\4F99.exe |
| PID 5104 set thread context of 3576 | N/A | C:\Users\Admin\AppData\Local\ab072e5f-2f14-49de-be7c-832eed203752\build2.exe | C:\Users\Admin\AppData\Local\ab072e5f-2f14-49de-be7c-832eed203752\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\52D6.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\55D5.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\57E9.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\4B41.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\ab1584a0064fc4a6132e8ae530bf2a27.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\ab1584a0064fc4a6132e8ae530bf2a27.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\ab1584a0064fc4a6132e8ae530bf2a27.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5E15.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5E15.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5E15.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\ab072e5f-2f14-49de-be7c-832eed203752\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\ab072e5f-2f14-49de-be7c-832eed203752\build2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ab1584a0064fc4a6132e8ae530bf2a27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ab1584a0064fc4a6132e8ae530bf2a27.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ab1584a0064fc4a6132e8ae530bf2a27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5E15.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4B41.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\57E9.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4F99.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ab1584a0064fc4a6132e8ae530bf2a27.exe
"C:\Users\Admin\AppData\Local\Temp\ab1584a0064fc4a6132e8ae530bf2a27.exe"
C:\Users\Admin\AppData\Local\Temp\4B41.exe
C:\Users\Admin\AppData\Local\Temp\4B41.exe
C:\Users\Admin\AppData\Local\Temp\4D46.exe
C:\Users\Admin\AppData\Local\Temp\4D46.exe
C:\Users\Admin\AppData\Local\Temp\4F99.exe
C:\Users\Admin\AppData\Local\Temp\4F99.exe
C:\Users\Admin\AppData\Local\Temp\52D6.exe
C:\Users\Admin\AppData\Local\Temp\52D6.exe
C:\Users\Admin\AppData\Local\Temp\55D5.exe
C:\Users\Admin\AppData\Local\Temp\55D5.exe
C:\Users\Admin\AppData\Local\Temp\57E9.exe
C:\Users\Admin\AppData\Local\Temp\57E9.exe
C:\Users\Admin\AppData\Local\Temp\5A1C.exe
C:\Users\Admin\AppData\Local\Temp\5A1C.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Users\Admin\AppData\Local\Temp\5E15.exe
C:\Users\Admin\AppData\Local\Temp\5E15.exe
C:\Users\Admin\AppData\Local\Temp\4D46.exe
C:\Users\Admin\AppData\Local\Temp\4D46.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1504 -ip 1504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2464 -ip 2464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 344
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\423cf4da-4e8a-43ae-bcea-e06663ca0814" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\4D46.exe
"C:\Users\Admin\AppData\Local\Temp\4D46.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\4D46.exe
"C:\Users\Admin\AppData\Local\Temp\4D46.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1204 -ip 1204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1836
C:\Users\Admin\AppData\Local\ab072e5f-2f14-49de-be7c-832eed203752\build2.exe
"C:\Users\Admin\AppData\Local\ab072e5f-2f14-49de-be7c-832eed203752\build2.exe"
C:\Users\Admin\AppData\Local\ab072e5f-2f14-49de-be7c-832eed203752\build3.exe
"C:\Users\Admin\AppData\Local\ab072e5f-2f14-49de-be7c-832eed203752\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\4F99.exe
C:\Users\Admin\AppData\Local\Temp\4F99.exe
C:\Users\Admin\AppData\Local\Temp\4F99.exe
C:\Users\Admin\AppData\Local\Temp\4F99.exe
C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
C:\Users\Admin\AppData\Local\ab072e5f-2f14-49de-be7c-832eed203752\build2.exe
"C:\Users\Admin\AppData\Local\ab072e5f-2f14-49de-be7c-832eed203752\build2.exe"
C:\Users\Admin\AppData\Local\Temp\FBFC.exe
C:\Users\Admin\AppData\Local\Temp\FBFC.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\ab072e5f-2f14-49de-be7c-832eed203752\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 40.126.31.73:443 | tcp | |
| N/A | 8.8.8.8:53 | potunulit.org | udp |
| N/A | 188.114.96.1:80 | potunulit.org | tcp |
| N/A | 8.248.7.254:80 | tcp | |
| N/A | 8.248.7.254:80 | tcp | |
| N/A | 188.114.97.1:80 | potunulit.org | tcp |
| N/A | 194.110.203.101:80 | 194.110.203.101 | tcp |
| N/A | 8.8.8.8:53 | polyzi.com | udp |
| N/A | 95.217.49.230:443 | polyzi.com | tcp |
| N/A | 185.106.94.35:80 | 185.106.94.35 | tcp |
| N/A | 8.8.8.8:53 | wagringamuk.com | udp |
| N/A | 162.33.179.231:80 | wagringamuk.com | tcp |
| N/A | 8.8.8.8:53 | api.2ip.ua | udp |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 91.215.85.155:32796 | tcp | |
| N/A | 91.215.85.155:32796 | tcp | |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 8.8.8.8:53 | spaceris.com | udp |
| N/A | 8.8.8.8:53 | uaery.top | udp |
| N/A | 190.147.188.50:80 | uaery.top | tcp |
| N/A | 109.98.58.98:80 | spaceris.com | tcp |
| N/A | 109.98.58.98:80 | spaceris.com | tcp |
| N/A | 82.115.223.77:8081 | tcp | |
| N/A | 8.8.8.8:53 | c3g6gx853u6j.xyz | udp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 8.8.8.8:53 | transfer.sh | udp |
| N/A | 144.76.136.153:443 | transfer.sh | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 8.8.8.8:53 | t.me | udp |
| N/A | 149.154.167.99:443 | t.me | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 5.75.203.81:80 | 5.75.203.81 | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 8.8.8.8:53 | github.com | udp |
| N/A | 140.82.113.3:443 | github.com | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 162.33.179.231:80 | wagringamuk.com | tcp |
Files
memory/2676-132-0x0000000002E5D000-0x0000000002E72000-memory.dmp
memory/2676-133-0x0000000002DA0000-0x0000000002DA9000-memory.dmp
memory/2676-134-0x0000000000400000-0x0000000002C3F000-memory.dmp
memory/2676-135-0x0000000000400000-0x0000000002C3F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4B41.exe
| MD5 | ac85181f75ef4b23f5bbf03076954ada |
| SHA1 | 146c0094cda98d8ca9839166ae0be50e3ec04e6c |
| SHA256 | 6890c20621b891bbc399fc5295aed4538a146169751b73f1168abb9d4fd478f3 |
| SHA512 | c54ffc9952139122436fae60f0dae0f1097faeca0b46e766914c6b2960ea96abac1ed309f8d59d0af98b7864af5ea213acfb92321c7ea22466c129936a51b719 |
memory/1204-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4B41.exe
| MD5 | ac85181f75ef4b23f5bbf03076954ada |
| SHA1 | 146c0094cda98d8ca9839166ae0be50e3ec04e6c |
| SHA256 | 6890c20621b891bbc399fc5295aed4538a146169751b73f1168abb9d4fd478f3 |
| SHA512 | c54ffc9952139122436fae60f0dae0f1097faeca0b46e766914c6b2960ea96abac1ed309f8d59d0af98b7864af5ea213acfb92321c7ea22466c129936a51b719 |
memory/1472-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4D46.exe
| MD5 | 5a4646dc1e0caa4a0c2da0ddb1c7e97f |
| SHA1 | bd57414c9549641a54a27cb7868d318689685938 |
| SHA256 | 9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba |
| SHA512 | 6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651 |
C:\Users\Admin\AppData\Local\Temp\4D46.exe
| MD5 | 5a4646dc1e0caa4a0c2da0ddb1c7e97f |
| SHA1 | bd57414c9549641a54a27cb7868d318689685938 |
| SHA256 | 9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba |
| SHA512 | 6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651 |
memory/4728-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4F99.exe
| MD5 | f776b5b8fecf6f685ba732827a2d3c46 |
| SHA1 | b22901812d68e6ccb2963fd25f1187b1a739138f |
| SHA256 | c673c1cc2dbd70c91b87d57d3ff5a2d6fd0d1410564856f8b7d047939fb89451 |
| SHA512 | b33f3b01dab36cdd2e3137a96693d149994e49a601c7c1bab5ace817824d7c148812ddce7dea4d42786ef4b01fdca27dcfedf90d995f44b6d153537279ee13c9 |
C:\Users\Admin\AppData\Local\Temp\4F99.exe
| MD5 | f776b5b8fecf6f685ba732827a2d3c46 |
| SHA1 | b22901812d68e6ccb2963fd25f1187b1a739138f |
| SHA256 | c673c1cc2dbd70c91b87d57d3ff5a2d6fd0d1410564856f8b7d047939fb89451 |
| SHA512 | b33f3b01dab36cdd2e3137a96693d149994e49a601c7c1bab5ace817824d7c148812ddce7dea4d42786ef4b01fdca27dcfedf90d995f44b6d153537279ee13c9 |
memory/4728-145-0x0000000000580000-0x00000000007E0000-memory.dmp
memory/4728-146-0x00007FFBA6E80000-0x00007FFBA7941000-memory.dmp
memory/1504-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\52D6.exe
| MD5 | 38cbb5cc418083d0184cd6293f24c61a |
| SHA1 | 07ff7a122a9742e0618756a70a2e790eb7c1b1d3 |
| SHA256 | 4aff6c1f5525128f83a597c1d8048488532d4dbc8f95058b84b4f031f7bbb4b0 |
| SHA512 | 38884caee36979ea9ebebacd6b9b059edb7e9b20a0f9c19f04484020b41ceec8ea94f85af9a4835fbeca112605610b03aef569dc4a191c1f604afd6c04e39c7a |
C:\Users\Admin\AppData\Local\Temp\52D6.exe
| MD5 | 38cbb5cc418083d0184cd6293f24c61a |
| SHA1 | 07ff7a122a9742e0618756a70a2e790eb7c1b1d3 |
| SHA256 | 4aff6c1f5525128f83a597c1d8048488532d4dbc8f95058b84b4f031f7bbb4b0 |
| SHA512 | 38884caee36979ea9ebebacd6b9b059edb7e9b20a0f9c19f04484020b41ceec8ea94f85af9a4835fbeca112605610b03aef569dc4a191c1f604afd6c04e39c7a |
memory/4728-151-0x000000001D170000-0x000000001D192000-memory.dmp
memory/2464-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\55D5.exe
| MD5 | 0858ab56c003ccf5694e0c35c885964f |
| SHA1 | dfa1a97895e6089f588926ef9136736f79807e65 |
| SHA256 | 84e2c3ff7c5509dda42f1fee89c227254afe229f972bb5ffe43a92665f597f49 |
| SHA512 | 0d38fd6c58a46cef7fc908a2b05304b3fb6767b878a743d3c91f51c633728e499e7e974114024220e88c067a7a50c228e2ed7f0b5c7dd121ba20f5561579e056 |
C:\Users\Admin\AppData\Local\Temp\55D5.exe
| MD5 | 0858ab56c003ccf5694e0c35c885964f |
| SHA1 | dfa1a97895e6089f588926ef9136736f79807e65 |
| SHA256 | 84e2c3ff7c5509dda42f1fee89c227254afe229f972bb5ffe43a92665f597f49 |
| SHA512 | 0d38fd6c58a46cef7fc908a2b05304b3fb6767b878a743d3c91f51c633728e499e7e974114024220e88c067a7a50c228e2ed7f0b5c7dd121ba20f5561579e056 |
memory/1272-154-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\57E9.exe
| MD5 | 268c4434408b72e72a59e30fa0ac129a |
| SHA1 | 58b3831fdc6a430276a2b88160c1428098a7981c |
| SHA256 | ce14e2c1a9edc95f7cdeff4472652881409ee815479149e07a3133f763d7d3c3 |
| SHA512 | 68d027acacfc135a12a8c0f596b7c6e9b417400353bbae27d10cdd0db55dcd1c7eebf1046abad655a9187a0ef6b80a3c6a76567a1fba2f648ed79aa299677c3b |
C:\Users\Admin\AppData\Local\Temp\57E9.exe
| MD5 | 268c4434408b72e72a59e30fa0ac129a |
| SHA1 | 58b3831fdc6a430276a2b88160c1428098a7981c |
| SHA256 | ce14e2c1a9edc95f7cdeff4472652881409ee815479149e07a3133f763d7d3c3 |
| SHA512 | 68d027acacfc135a12a8c0f596b7c6e9b417400353bbae27d10cdd0db55dcd1c7eebf1046abad655a9187a0ef6b80a3c6a76567a1fba2f648ed79aa299677c3b |
memory/3600-157-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5A1C.exe
| MD5 | 349f327f0efe65997102cc92fd1c6a40 |
| SHA1 | 261f65d866066d295c181f2df6a9fcbe736c147d |
| SHA256 | 071efedc56e24562b713f77a0394ad6d949a43c7096004eecf317d0c38cd8dfd |
| SHA512 | 444aeede01f46a1e5d3da2df732bbabfda131c09650ec3b71842753cabdd1543f40b5f1aded0d2b84f3f6f754fd5ecea4b147568bab120f34e91591bdf6806e7 |
C:\Users\Admin\AppData\Local\Temp\5A1C.exe
| MD5 | 349f327f0efe65997102cc92fd1c6a40 |
| SHA1 | 261f65d866066d295c181f2df6a9fcbe736c147d |
| SHA256 | 071efedc56e24562b713f77a0394ad6d949a43c7096004eecf317d0c38cd8dfd |
| SHA512 | 444aeede01f46a1e5d3da2df732bbabfda131c09650ec3b71842753cabdd1543f40b5f1aded0d2b84f3f6f754fd5ecea4b147568bab120f34e91591bdf6806e7 |
memory/3600-160-0x0000000140000000-0x0000000140008000-memory.dmp
memory/3692-161-0x0000000000000000-mapping.dmp
memory/1456-164-0x0000000000000000-mapping.dmp
memory/3600-166-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5E15.exe
| MD5 | c6917bc242058814f64360de5b4320be |
| SHA1 | 4c1959cc707acb43a1466d166e151c517164edc2 |
| SHA256 | 732c3e3887c7e83b84fd96c6a8a2377235a29995c8656c1616dee40f8be81516 |
| SHA512 | 2bf75a0ebcbd5ff7b65a47b9b8016081c272acb6b4fe1b487a6928e682dd93e5809cd2354f4d21acbef0703c4d1b6c87af4c0d731e2799be1a6197815ec1b6bb |
C:\Users\Admin\AppData\Local\Temp\5E15.exe
| MD5 | c6917bc242058814f64360de5b4320be |
| SHA1 | 4c1959cc707acb43a1466d166e151c517164edc2 |
| SHA256 | 732c3e3887c7e83b84fd96c6a8a2377235a29995c8656c1616dee40f8be81516 |
| SHA512 | 2bf75a0ebcbd5ff7b65a47b9b8016081c272acb6b4fe1b487a6928e682dd93e5809cd2354f4d21acbef0703c4d1b6c87af4c0d731e2799be1a6197815ec1b6bb |
memory/3692-171-0x00007FFBA6E80000-0x00007FFBA7941000-memory.dmp
memory/1204-172-0x000000000079E000-0x00000000007CC000-memory.dmp
memory/1204-173-0x00000000005C0000-0x000000000060B000-memory.dmp
memory/1204-174-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1204-175-0x0000000004D50000-0x00000000052F4000-memory.dmp
memory/1204-176-0x0000000005300000-0x0000000005918000-memory.dmp
memory/1204-177-0x0000000004B50000-0x0000000004C5A000-memory.dmp
memory/1204-178-0x0000000004C70000-0x0000000004C82000-memory.dmp
memory/4728-179-0x00007FFBA6E80000-0x00007FFBA7941000-memory.dmp
memory/1456-180-0x0000000002D29000-0x0000000002D3A000-memory.dmp
memory/1204-182-0x0000000004C90000-0x0000000004CCC000-memory.dmp
memory/1456-181-0x0000000002C10000-0x0000000002C19000-memory.dmp
memory/1460-183-0x0000000000000000-mapping.dmp
memory/1460-184-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4D46.exe
| MD5 | 5a4646dc1e0caa4a0c2da0ddb1c7e97f |
| SHA1 | bd57414c9549641a54a27cb7868d318689685938 |
| SHA256 | 9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba |
| SHA512 | 6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651 |
memory/1472-189-0x0000000004F50000-0x000000000506B000-memory.dmp
memory/1460-188-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1460-186-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1472-187-0x00000000031F3000-0x0000000003284000-memory.dmp
memory/1456-190-0x0000000000400000-0x0000000002B9D000-memory.dmp
memory/1504-191-0x00000000005B0000-0x00000000005B9000-memory.dmp
memory/1504-192-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1460-193-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1504-194-0x000000000065D000-0x0000000000673000-memory.dmp
memory/2464-195-0x000000000074D000-0x0000000000763000-memory.dmp
memory/2464-196-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1272-197-0x000000000054D000-0x000000000057C000-memory.dmp
memory/1272-198-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1456-199-0x0000000000400000-0x0000000002B9D000-memory.dmp
memory/4232-200-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\423cf4da-4e8a-43ae-bcea-e06663ca0814\4D46.exe
| MD5 | 5a4646dc1e0caa4a0c2da0ddb1c7e97f |
| SHA1 | bd57414c9549641a54a27cb7868d318689685938 |
| SHA256 | 9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba |
| SHA512 | 6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651 |
memory/4212-202-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4D46.exe
| MD5 | 5a4646dc1e0caa4a0c2da0ddb1c7e97f |
| SHA1 | bd57414c9549641a54a27cb7868d318689685938 |
| SHA256 | 9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba |
| SHA512 | 6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651 |
memory/1460-204-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1204-205-0x0000000005B60000-0x0000000005BF2000-memory.dmp
memory/1204-206-0x0000000005C00000-0x0000000005C66000-memory.dmp
memory/1272-207-0x0000000006450000-0x0000000006612000-memory.dmp
memory/1272-208-0x0000000006620000-0x0000000006B4C000-memory.dmp
memory/3692-209-0x00007FFBA6E80000-0x00007FFBA7941000-memory.dmp
memory/1204-210-0x000000000079E000-0x00000000007CC000-memory.dmp
memory/4672-211-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4D46.exe
| MD5 | 5a4646dc1e0caa4a0c2da0ddb1c7e97f |
| SHA1 | bd57414c9549641a54a27cb7868d318689685938 |
| SHA256 | 9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba |
| SHA512 | 6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651 |
memory/4212-215-0x0000000004D84000-0x0000000004E15000-memory.dmp
memory/4672-214-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4672-216-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 61a9f01083346a0ee40dc68983932b14 |
| SHA1 | 85737a00e510acc709a5ea03d04a666bf41eb912 |
| SHA256 | db745e7939f305e69baa8e6fda50687f545b5b9af3cffbd290f1223d7956c1e7 |
| SHA512 | 80edf82ede77a5657e92ca9c6ec45fe28118f1f0372d33e377185f7043580ee136927922556795552b41b9bd03aaef9a0273758af375b56ad4470aa23ac88349 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 3cc091da0c5a3704f9ce7bc46b13f284 |
| SHA1 | 3649a99a5e07f0dfe23a09761e09670194c8c535 |
| SHA256 | 7fab26c9693245677988f3095959d9b96a9e332134a7a6bd58e4607ba3f59eff |
| SHA512 | 14978d80e30594372cf806d57e181195f65d5507fc6b978f07b1d6bce6802a856ed21a51f2aaba0a88451406b3f7f1aef45869e455cf1955e7ab30fd570715bf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | deb5907196e6e5e0e915c276f65a6924 |
| SHA1 | 62802115ee04a17e66297fbfd5ab8d933040ffdb |
| SHA256 | 48c65c4f7dfbf070a4e8157cd0ec68e495eb3f963668f3d51ae6fedcff7fcda1 |
| SHA512 | 4881fd5f46e1846f4e4dd3cb0295c5b48f62181bba01f8113520d97ee31b1489429281778d1ac0d58d02a3343ad97d24a96ce1d2bdbb1ddda2f77e5101f51c43 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | d5607a0118cec559f7d6ad5b3772df49 |
| SHA1 | e07bf540798f3a6a58955cd7713535dd9a880351 |
| SHA256 | fbd1788f951288c5bb16e90e3c65389f72dc56748628096e2465ffd60471ba9a |
| SHA512 | c93bbdcff7f49cdef82bac3e0ad74ec8d868cc27bb5a87f1079437d748efea2135a8e1d9e969c55760565dc613258c5d3857312d6e7f1d4fa79024192bf7515e |
memory/4672-221-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1272-222-0x000000000054D000-0x000000000057C000-memory.dmp
memory/1272-223-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1204-224-0x000000000079E000-0x00000000007CC000-memory.dmp
memory/1204-225-0x0000000000400000-0x0000000000471000-memory.dmp
memory/5104-226-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\ab072e5f-2f14-49de-be7c-832eed203752\build2.exe
| MD5 | 19b18ab424c9bfe498094eab6e124eb8 |
| SHA1 | b78148d95360125fe8e778bbff8d41eb58c48ede |
| SHA256 | f89ea963fcb584772f149a3c6a576d2a8cb037b3f956ac43dfc9ca0abe310956 |
| SHA512 | 202f57aa334bed6c55731c79804a5d05e879b3b518483668d5d73848b5409882cc90f17a4735fbb6fddb0f0a3ce3bf36c9d022e59b850b77ba679201f9c40b0b |
C:\Users\Admin\AppData\Local\ab072e5f-2f14-49de-be7c-832eed203752\build2.exe
| MD5 | 19b18ab424c9bfe498094eab6e124eb8 |
| SHA1 | b78148d95360125fe8e778bbff8d41eb58c48ede |
| SHA256 | f89ea963fcb584772f149a3c6a576d2a8cb037b3f956ac43dfc9ca0abe310956 |
| SHA512 | 202f57aa334bed6c55731c79804a5d05e879b3b518483668d5d73848b5409882cc90f17a4735fbb6fddb0f0a3ce3bf36c9d022e59b850b77ba679201f9c40b0b |
memory/4568-229-0x0000000000000000-mapping.dmp
memory/2808-232-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\ab072e5f-2f14-49de-be7c-832eed203752\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\ab072e5f-2f14-49de-be7c-832eed203752\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/3692-233-0x00007FFBA6E80000-0x00007FFBA7941000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4F99.exe
| MD5 | f776b5b8fecf6f685ba732827a2d3c46 |
| SHA1 | b22901812d68e6ccb2963fd25f1187b1a739138f |
| SHA256 | c673c1cc2dbd70c91b87d57d3ff5a2d6fd0d1410564856f8b7d047939fb89451 |
| SHA512 | b33f3b01dab36cdd2e3137a96693d149994e49a601c7c1bab5ace817824d7c148812ddce7dea4d42786ef4b01fdca27dcfedf90d995f44b6d153537279ee13c9 |
memory/3804-235-0x0000000000400000-0x00000000008D7000-memory.dmp
memory/3804-236-0x0000000000465EA0-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4F99.exe
| MD5 | f776b5b8fecf6f685ba732827a2d3c46 |
| SHA1 | b22901812d68e6ccb2963fd25f1187b1a739138f |
| SHA256 | c673c1cc2dbd70c91b87d57d3ff5a2d6fd0d1410564856f8b7d047939fb89451 |
| SHA512 | b33f3b01dab36cdd2e3137a96693d149994e49a601c7c1bab5ace817824d7c148812ddce7dea4d42786ef4b01fdca27dcfedf90d995f44b6d153537279ee13c9 |
memory/3804-239-0x0000000000400000-0x00000000008D7000-memory.dmp
memory/4728-240-0x00007FFBA6E80000-0x00007FFBA7941000-memory.dmp
memory/3804-241-0x0000000000400000-0x00000000008D7000-memory.dmp
memory/3472-242-0x0000000000000000-mapping.dmp
memory/1832-243-0x0000000000000000-mapping.dmp
memory/4680-244-0x0000000000000000-mapping.dmp
memory/4384-245-0x0000000000000000-mapping.dmp
memory/1504-246-0x0000000000000000-mapping.dmp
memory/3576-247-0x0000000000000000-mapping.dmp
memory/3576-248-0x0000000000400000-0x0000000000461000-memory.dmp
C:\Users\Admin\AppData\Local\ab072e5f-2f14-49de-be7c-832eed203752\build2.exe
| MD5 | 19b18ab424c9bfe498094eab6e124eb8 |
| SHA1 | b78148d95360125fe8e778bbff8d41eb58c48ede |
| SHA256 | f89ea963fcb584772f149a3c6a576d2a8cb037b3f956ac43dfc9ca0abe310956 |
| SHA512 | 202f57aa334bed6c55731c79804a5d05e879b3b518483668d5d73848b5409882cc90f17a4735fbb6fddb0f0a3ce3bf36c9d022e59b850b77ba679201f9c40b0b |
memory/3576-250-0x0000000000400000-0x0000000000461000-memory.dmp
memory/5104-252-0x00000000007BE000-0x00000000007EB000-memory.dmp
memory/5104-253-0x00000000006D0000-0x000000000071C000-memory.dmp
memory/3576-251-0x0000000000400000-0x0000000000461000-memory.dmp
memory/3576-254-0x0000000000400000-0x0000000000461000-memory.dmp
memory/4672-255-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FBFC.exe
| MD5 | 9748489855d9dd82ab09da5e3e55b19e |
| SHA1 | 6ed2bf6a1a53a59cd2137812cb43b5032817f6a1 |
| SHA256 | 05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b |
| SHA512 | 7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be |
memory/4212-256-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FBFC.exe
| MD5 | 9748489855d9dd82ab09da5e3e55b19e |
| SHA1 | 6ed2bf6a1a53a59cd2137812cb43b5032817f6a1 |
| SHA256 | 05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b |
| SHA512 | 7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be |
memory/4212-259-0x00000000003C0000-0x00000000003C8000-memory.dmp
memory/4212-262-0x00007FFBA6E80000-0x00007FFBA7941000-memory.dmp
memory/3576-260-0x0000000060900000-0x0000000060992000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
C:\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
memory/3804-282-0x0000000000400000-0x00000000008D7000-memory.dmp
memory/3220-283-0x0000000000000000-mapping.dmp
memory/3220-284-0x00000000001C0000-0x00000000001C7000-memory.dmp
memory/3220-285-0x00000000001B0000-0x00000000001BB000-memory.dmp
memory/3272-286-0x0000000000000000-mapping.dmp
memory/4060-287-0x0000000000000000-mapping.dmp
memory/3576-288-0x0000000000400000-0x0000000000461000-memory.dmp
memory/432-289-0x0000000000000000-mapping.dmp
memory/3272-290-0x0000000000BD0000-0x0000000000BD9000-memory.dmp
memory/3272-291-0x0000000000BC0000-0x0000000000BCF000-memory.dmp
memory/1420-292-0x0000000000000000-mapping.dmp
memory/1420-293-0x0000000000D50000-0x0000000000D55000-memory.dmp
memory/1420-294-0x0000000000D40000-0x0000000000D49000-memory.dmp
memory/1920-295-0x0000000000000000-mapping.dmp
memory/1920-296-0x00000000005C0000-0x00000000005C6000-memory.dmp
memory/1920-297-0x00000000005B0000-0x00000000005BC000-memory.dmp
memory/2108-298-0x0000000000000000-mapping.dmp
memory/116-301-0x0000000000000000-mapping.dmp
memory/4516-304-0x0000000000000000-mapping.dmp
memory/528-307-0x0000000000000000-mapping.dmp
memory/4560-310-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/2320-323-0x0000000000000000-mapping.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-10 02:56
Reported
2023-01-10 02:58
Platform
win7-20220812-en
Max time kernel
150s
Max time network
44s
Command Line
Signatures
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\ab1584a0064fc4a6132e8ae530bf2a27.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\ab1584a0064fc4a6132e8ae530bf2a27.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\ab1584a0064fc4a6132e8ae530bf2a27.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ab1584a0064fc4a6132e8ae530bf2a27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ab1584a0064fc4a6132e8ae530bf2a27.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ab1584a0064fc4a6132e8ae530bf2a27.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ab1584a0064fc4a6132e8ae530bf2a27.exe
"C:\Users\Admin\AppData\Local\Temp\ab1584a0064fc4a6132e8ae530bf2a27.exe"
Network
Files
memory/1076-54-0x0000000076681000-0x0000000076683000-memory.dmp
memory/1076-55-0x0000000002E0B000-0x0000000002E21000-memory.dmp
memory/1076-56-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1076-57-0x0000000000400000-0x0000000002C3F000-memory.dmp
memory/1076-58-0x0000000000400000-0x0000000002C3F000-memory.dmp