Analysis Overview
SHA256
d55397282fd5a56d06fae62f5e18237ecd28dc53caeb5e993b66ed81ce6e7881
Threat Level: Known bad
The file toolspub1(1).exe was found to be: Known bad.
Malicious Activity Summary
Vidar
ZGRat
Detected Djvu ransomware
Detect Vidar Stealer
Amadey
Djvu Ransomware
Detect ZGRat V1
SmokeLoader
Modifies Installed Components in the registry
Downloads MZ/PE file
Modifies file permissions
Deletes itself
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Modifies system certificate store
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-23 21:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-23 21:28
Reported
2024-01-23 21:31
Platform
win7-20231215-en
Max time kernel
150s
Max time network
133s
Command Line
Signatures
Amadey
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Vidar
ZGRat
Downloads MZ/PE file
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C3AE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C3AE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C3AE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C3AE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C3AE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C3AE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C3AE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C3AE.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57C5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57C5.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0f6ad753-c032-4230-ad31-8304e9da2cca\\C3AE.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\C3AE.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\Windows\explorer.exe | N/A |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\57C5.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\AD8E.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\sdbsvdw | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\sdbsvdw | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\sdbsvdw | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\AD8E.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\AD8E.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AD8E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\sdbsvdw | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\57C5.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe"
C:\Users\Admin\AppData\Local\Temp\AD8E.exe
C:\Users\Admin\AppData\Local\Temp\AD8E.exe
C:\Users\Admin\AppData\Local\Temp\C3AE.exe
C:\Users\Admin\AppData\Local\Temp\C3AE.exe
C:\Users\Admin\AppData\Local\Temp\C3AE.exe
C:\Users\Admin\AppData\Local\Temp\C3AE.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\0f6ad753-c032-4230-ad31-8304e9da2cca" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\CBE9.exe
C:\Users\Admin\AppData\Local\Temp\CBE9.exe
C:\Users\Admin\AppData\Local\Temp\C3AE.exe
"C:\Users\Admin\AppData\Local\Temp\C3AE.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\C3AE.exe
"C:\Users\Admin\AppData\Local\Temp\C3AE.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe
"C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe"
C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe
"C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe"
C:\Users\Admin\AppData\Local\Temp\ECA3.exe
C:\Users\Admin\AppData\Local\Temp\ECA3.exe
C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build3.exe
"C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 1444
C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build3.exe
"C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\57C5.exe
C:\Users\Admin\AppData\Local\Temp\57C5.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {5A13B0A5-B1DF-4352-96B0-556982AA5C85} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\sdbsvdw
C:\Users\Admin\AppData\Roaming\sdbsvdw
C:\Users\Admin\AppData\Local\Temp\57C5.exe
C:\Users\Admin\AppData\Local\Temp\57C5.exe
C:\Users\Admin\AppData\Local\Temp\57C5.exe
C:\Users\Admin\AppData\Local\Temp\57C5.exe
C:\Users\Admin\AppData\Local\Temp\31BA.exe
C:\Users\Admin\AppData\Local\Temp\31BA.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 158.160.118.17:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| RU | 158.160.118.17:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| KR | 211.171.233.129:80 | brusuax.com | tcp |
| RU | 82.147.84.194:80 | 82.147.84.194 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | olivehr.co.za | udp |
| ZA | 41.185.8.154:80 | olivehr.co.za | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| KR | 211.171.233.129:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| KR | 211.53.230.67:80 | habrafa.com | tcp |
| KR | 211.53.230.67:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| FI | 65.109.242.152:443 | 65.109.242.152 | tcp |
| FI | 65.109.242.152:443 | 65.109.242.152 | tcp |
| FI | 65.109.242.152:443 | 65.109.242.152 | tcp |
| DE | 146.0.41.68:80 | tcp | |
| FI | 65.109.242.152:443 | 65.109.242.152 | tcp |
| US | 8.8.8.8:53 | racingcycle.net | udp |
| PT | 194.38.133.167:443 | racingcycle.net | tcp |
| PT | 194.38.133.167:443 | racingcycle.net | tcp |
| US | 8.8.8.8:53 | snnclermontprojects.com | udp |
| AU | 176.97.69.235:443 | snnclermontprojects.com | tcp |
| IT | 185.196.10.146:80 | 185.196.10.146 | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| RU | 158.160.118.17:80 | galandskiyher5.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| NL | 195.20.16.46:80 | 195.20.16.46 | tcp |
| US | 8.8.8.8:53 | www.cafullgas.pro | udp |
| FR | 154.56.32.6:443 | www.cafullgas.pro | tcp |
| FR | 154.56.32.6:443 | www.cafullgas.pro | tcp |
| NL | 45.15.156.13:443 | tcp | |
| NL | 45.15.156.13:443 | tcp | |
| US | 8.8.8.8:53 | iplis.ru | udp |
| US | 172.67.147.32:443 | iplis.ru | tcp |
Files
memory/2508-1-0x0000000000530000-0x0000000000630000-memory.dmp
memory/2508-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2508-3-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1208-4-0x0000000002B60000-0x0000000002B76000-memory.dmp
memory/2508-5-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AD8E.exe
| MD5 | 9ce6a73712203e69e4e95ebcf891d198 |
| SHA1 | 137acc0d91bfa8793c3f8f95f9a85665b22c1e97 |
| SHA256 | d55397282fd5a56d06fae62f5e18237ecd28dc53caeb5e993b66ed81ce6e7881 |
| SHA512 | d146f29c944b322bacf93e2deca44d27c160a708a27f27309cfd4176ff89a54f0c63527bfb3697b383a17562d91613ad1ee7b423bba70a59757ff3800301925d |
memory/2808-18-0x0000000000590000-0x0000000000690000-memory.dmp
memory/2808-19-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1208-20-0x0000000003DE0000-0x0000000003DF6000-memory.dmp
memory/2808-21-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C3AE.exe
| MD5 | 3ff2d354490b034a1654fb2b0783bfc4 |
| SHA1 | 0452ced8b9a8f8c4a72bd795313bb7f048aa3d2b |
| SHA256 | c6572bdb6ccd2bbebeef871d39fc32fe8c9f6578aeb78cddb3c3f9cea22bc3f5 |
| SHA512 | 3a7d79390c45507a5b8aa5d2fa1a2137566c6242403828c486d919003a103f1dce2d012780fe414cbf4f6759ef08b82b22c160f8246a4e501e8fe5fc2e3563ad |
memory/1712-30-0x00000000002E0000-0x0000000000372000-memory.dmp
memory/1712-31-0x00000000002E0000-0x0000000000372000-memory.dmp
memory/2588-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1712-34-0x0000000001F30000-0x000000000204B000-memory.dmp
memory/2588-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2588-41-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2588-40-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CBE9.exe
| MD5 | 2ec5bf4cdacfa2c66740dd1394d837fa |
| SHA1 | 6370da235c5af89816a11bdc863b060e02ee5e6b |
| SHA256 | a57d515b1ed6beffd11acbd421d918acdb1a45fe81ba5c57573a019136fcb243 |
| SHA512 | 55c961b7ef980c7a1509f5789ca7b2c21cb4c4facfe000ec79f3adda725aa244be9248f327d1ec6455f6bab4abf9726f7bd28505b26cccbe3895f9828db30df6 |
memory/564-67-0x0000000000220000-0x00000000002A1000-memory.dmp
memory/564-66-0x00000000008D0000-0x00000000009D0000-memory.dmp
memory/564-65-0x0000000000400000-0x0000000000482000-memory.dmp
memory/748-73-0x00000000004D0000-0x0000000000562000-memory.dmp
memory/2588-72-0x0000000000400000-0x0000000000537000-memory.dmp
memory/748-75-0x00000000004D0000-0x0000000000562000-memory.dmp
memory/1588-82-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1588-83-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | b314f0727e25ec3f8c73d240a3ff95af |
| SHA1 | c09c59600c1676ad7b64c945afc3f43fceb342dd |
| SHA256 | 1140ff12078738e601f4d124b35c5e0ae98636c0429afbed153dade1bdcd82c8 |
| SHA512 | 5a51164749d755905054975749138f8a177888c3042df9c7838326e1b6c3dc6a4054043a1daffd7f5994e4ac8b0e42eac24eb89e2246616057021e48ce7e9e35 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e8aac85ac044370325f888675dc0833c |
| SHA1 | 3c6154305435c3fc689799766de484b506d27d09 |
| SHA256 | bc0011a7d272476c686a8701caa7d6ccae12373d178bf53525deadd8bfd43dd2 |
| SHA512 | ed195cbbfa6b157f6fc5c42d90b7a9390768633615a9f1a1aaee812c2d42ddb5c7d870e5c76d2b73b7ec9d4367157b5a2dbfe9263402048a8c4b0714391c13f1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 7cbb7fc3b8714908e0df78eead4db236 |
| SHA1 | 0c6099bf71eade519502fba81966346b86322b19 |
| SHA256 | 7ef574bd3089c70e3396c34cffa67bbb9bab4fcaf23e2f272f24e27653e7814f |
| SHA512 | 8efd658549ca7263f688a869d8b2ba6a9dd55e8ce73ff33f2690c241ffa42779724e951c2dc12ae19a9f49ba4a7c3e9412b36e24c3e473300a27138bfe09c510 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | dc6ee0e592ca211a0a9a630fa05f11a5 |
| SHA1 | 58bfd549db79b7b6e329f1834391cf14a2da1262 |
| SHA256 | e811aeaa875154a38279c710b66cdab63c1750885785f04b28bdeec36c378527 |
| SHA512 | ce18fe05ec3865c638f80668251d7daf0022aa36387df70f50a6322bd965f90a640c8993dc9ef3c548c0a20b558d2ecfe72bf6141b79904d00534d1c03e35bb2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\Local\Temp\CabD643.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/1588-96-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1588-97-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1588-101-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1588-103-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1588-104-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build2.exe
| MD5 | 9b00df1cca53e81d90dfc2548f8d9114 |
| SHA1 | a783bde9346c8ece56aa6fec12348fea40fdf6ec |
| SHA256 | 1ae4509fb8949fab80d4cc0fefec087af17e7c5654f2a66ac04f7372edaec5fe |
| SHA512 | 406e14898fadc9aa63021d15c1e23cc812f472c6dd1fb59a29de2c4660b573e26ba13b892b2d3755e29d6fe5fe30a4d1c0550e0aca9d0bf5ae936e59d3141ffc |
memory/1404-118-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1404-121-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2372-122-0x00000000001C0000-0x00000000001EC000-memory.dmp
memory/2372-120-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1404-125-0x0000000000400000-0x000000000063F000-memory.dmp
memory/1404-126-0x0000000000400000-0x000000000063F000-memory.dmp
memory/1588-127-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarEB98.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Temp\ECA3.exe
| MD5 | 2b82eb950c4b07624724358abaee1e17 |
| SHA1 | 35b7e43f3e60c7c9423773458715f65d010c854e |
| SHA256 | 883e014f638041cc942d1125a65846156b6a0af20f3a27883817ecc2ab0d6727 |
| SHA512 | 2099a58cfd73290572793c6a9f36b5f3fdb20117eb601dfd7f62246465901cc56449c6a5e6a852a383d7a44534221aca91405ef2a6f96c76ad30ad82f16f24af |
memory/1588-214-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\566df65e-ee52-4a1b-b241-ddcf564a0a03\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1372-225-0x00000000000D0000-0x00000000000D1000-memory.dmp
memory/1372-237-0x00000000012B0000-0x0000000001B64000-memory.dmp
memory/1372-236-0x00000000000D0000-0x00000000000D1000-memory.dmp
memory/1372-239-0x00000000000D0000-0x00000000000D1000-memory.dmp
memory/1372-241-0x0000000077300000-0x0000000077301000-memory.dmp
memory/1372-240-0x00000000012B0000-0x0000000001B64000-memory.dmp
memory/1372-243-0x00000000012B0000-0x0000000001B64000-memory.dmp
memory/564-287-0x0000000000220000-0x00000000002A1000-memory.dmp
memory/2968-298-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2968-296-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3020-293-0x00000000001C0000-0x00000000001C4000-memory.dmp
memory/2968-292-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3020-290-0x0000000000290000-0x0000000000390000-memory.dmp
memory/2968-288-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1404-301-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2372-303-0x00000000001C0000-0x00000000001EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\57C5.exe
| MD5 | 14f7c4b98e2c837e555d030bfbe740c4 |
| SHA1 | 695e50ac70754d449445343764d8a0c339323a04 |
| SHA256 | 585892aac1dd2104c9dc5badf75efbc0d5f363456c084741af5e251402473de0 |
| SHA512 | c72065546378ea95362d370b6e5fe6aa75e197c2a156193057f6ffe0f4c010ad3a2d7b6d024b02f7aee91b97dd6740833911107bcdb8a7fae2316e0ef8228cc5 |
memory/1396-311-0x0000000000100000-0x00000000001C6000-memory.dmp
memory/1396-312-0x0000000072CE0000-0x00000000733CE000-memory.dmp
memory/1208-318-0x0000000002B30000-0x0000000002B31000-memory.dmp
memory/1396-324-0x0000000004C90000-0x0000000004D58000-memory.dmp
memory/1396-325-0x0000000004E60000-0x0000000004F2A000-memory.dmp
memory/1396-326-0x0000000004E60000-0x0000000004F23000-memory.dmp
memory/1396-327-0x0000000004E60000-0x0000000004F23000-memory.dmp
memory/2876-1137-0x0000000000640000-0x000000000064E000-memory.dmp
memory/2876-1260-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1396-1268-0x00000000043A0000-0x0000000004400000-memory.dmp
memory/1396-1269-0x0000000000580000-0x00000000005CC000-memory.dmp
memory/1396-1287-0x0000000072CE0000-0x00000000733CE000-memory.dmp
memory/1952-1293-0x0000000000401000-0x0000000000450000-memory.dmp
memory/2616-1299-0x0000000000080000-0x00000000000F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31BA.exe
| MD5 | 8f1d79f77c7f0c6bc7fe6c1361cc6919 |
| SHA1 | 47aad1811054297f2877bfb36dcc4eb9fbde6687 |
| SHA256 | 786feb7c36343b93848ba49429ff31aa25d587a5d443c8d079c39edbda8ee0d3 |
| SHA512 | d5d9452c593cbcb97d7b6c3988f56a625e1e082ebe81fa40eeff0bd70db745a6d689e048a490237cd55c917c0a04d93b0d33117dc9817e2d486f0d64451bd27c |
memory/2616-1317-0x0000000072D60000-0x000000007344E000-memory.dmp
memory/2404-1316-0x0000000000400000-0x0000000000498000-memory.dmp
memory/2224-1323-0x00000000002F2000-0x0000000000302000-memory.dmp
Analysis: behavioral2
Detonation Overview
Reported
0001-01-01 00:00