Analysis Overview
SHA256
d55397282fd5a56d06fae62f5e18237ecd28dc53caeb5e993b66ed81ce6e7881
Threat Level: Known bad
The file toolspub1(1).exe was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Detect Vidar Stealer
Djvu Ransomware
Detect ZGRat V1
ZGRat
Detected Djvu ransomware
Vidar
Downloads MZ/PE file
Modifies Installed Components in the registry
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Deletes itself
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Modifies registry class
Creates scheduled task(s)
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-23 21:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-23 21:45
Reported
2024-01-23 21:48
Platform
win7-20231215-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Vidar
ZGRat
Downloads MZ/PE file
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7485.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7485.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7485.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7485.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7485.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7485.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7485.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7485.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6c7340cf-4d1b-41b7-8a09-8b9671ff532c\\7485.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\7485.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2652 set thread context of 2644 | N/A | C:\Users\Admin\AppData\Local\Temp\7485.exe | C:\Users\Admin\AppData\Local\Temp\7485.exe |
| PID 1840 set thread context of 2272 | N/A | C:\Users\Admin\AppData\Local\Temp\7485.exe | C:\Users\Admin\AppData\Local\Temp\7485.exe |
| PID 1728 set thread context of 860 | N/A | C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe | C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe |
| PID 1068 set thread context of 2192 | N/A | C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build3.exe | C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build3.exe |
| PID 2000 set thread context of 1596 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe |
| PID 2484 set thread context of 2496 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5F11.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5F11.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5F11.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5F11.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FC9B.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1(1).exe"
C:\Users\Admin\AppData\Local\Temp\5F11.exe
C:\Users\Admin\AppData\Local\Temp\5F11.exe
C:\Users\Admin\AppData\Local\Temp\7485.exe
C:\Users\Admin\AppData\Local\Temp\7485.exe
C:\Users\Admin\AppData\Local\Temp\7485.exe
C:\Users\Admin\AppData\Local\Temp\7485.exe
C:\Users\Admin\AppData\Local\Temp\7485.exe
"C:\Users\Admin\AppData\Local\Temp\7485.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\7485.exe
"C:\Users\Admin\AppData\Local\Temp\7485.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\6c7340cf-4d1b-41b7-8a09-8b9671ff532c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\7C34.exe
C:\Users\Admin\AppData\Local\Temp\7C34.exe
C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe
"C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe"
C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe
"C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe"
C:\Users\Admin\AppData\Local\Temp\9070.exe
C:\Users\Admin\AppData\Local\Temp\9070.exe
C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build3.exe
"C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build3.exe
"C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 1452
C:\Users\Admin\AppData\Local\Temp\FC9B.exe
C:\Users\Admin\AppData\Local\Temp\FC9B.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {B91CC48A-BFA5-461D-B59F-CC4E50367F2D} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 158.160.118.17:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| RU | 158.160.118.17:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| AR | 190.224.203.37:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| RU | 82.147.84.194:80 | 82.147.84.194 | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| AR | 190.224.203.37:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| CO | 186.147.159.149:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | olivehr.co.za | udp |
| ZA | 41.185.8.154:80 | olivehr.co.za | tcp |
| CO | 186.147.159.149:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | udp | |
| FI | 65.109.242.152:443 | tcp | |
| FI | 65.109.242.152:443 | 65.109.242.152 | tcp |
| FI | 65.109.242.152:443 | 65.109.242.152 | tcp |
| DE | 146.0.41.68:80 | tcp | |
| FI | 65.109.242.152:443 | 65.109.242.152 | tcp |
| US | 8.8.8.8:53 | racingcycle.net | udp |
| PT | 194.38.133.167:443 | racingcycle.net | tcp |
| PT | 194.38.133.167:443 | racingcycle.net | tcp |
| US | 8.8.8.8:53 | snnclermontprojects.com | udp |
| AU | 176.97.69.235:443 | snnclermontprojects.com | tcp |
| IT | 185.196.10.146:80 | 185.196.10.146 | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | udp | |
| N/A | 149.154.167.99:443 | tcp | |
| N/A | 149.154.167.99:443 | tcp | |
| N/A | 149.154.167.99:443 | tcp | |
| N/A | 149.154.167.99:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.103.202.103:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| SE | 192.229.221.95:80 | tcp |
Files
memory/1272-2-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1272-3-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1272-1-0x0000000000550000-0x0000000000650000-memory.dmp
memory/1272-5-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1216-4-0x0000000002D70000-0x0000000002D86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5F11.exe
| MD5 | 9ce6a73712203e69e4e95ebcf891d198 |
| SHA1 | 137acc0d91bfa8793c3f8f95f9a85665b22c1e97 |
| SHA256 | d55397282fd5a56d06fae62f5e18237ecd28dc53caeb5e993b66ed81ce6e7881 |
| SHA512 | d146f29c944b322bacf93e2deca44d27c160a708a27f27309cfd4176ff89a54f0c63527bfb3697b383a17562d91613ad1ee7b423bba70a59757ff3800301925d |
memory/2832-18-0x00000000008A0000-0x00000000009A0000-memory.dmp
memory/2832-19-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1216-20-0x0000000002DA0000-0x0000000002DB6000-memory.dmp
memory/2832-21-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7485.exe
| MD5 | 3ff2d354490b034a1654fb2b0783bfc4 |
| SHA1 | 0452ced8b9a8f8c4a72bd795313bb7f048aa3d2b |
| SHA256 | c6572bdb6ccd2bbebeef871d39fc32fe8c9f6578aeb78cddb3c3f9cea22bc3f5 |
| SHA512 | 3a7d79390c45507a5b8aa5d2fa1a2137566c6242403828c486d919003a103f1dce2d012780fe414cbf4f6759ef08b82b22c160f8246a4e501e8fe5fc2e3563ad |
memory/2652-31-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2652-30-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2644-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2644-40-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2644-41-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2644-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2652-34-0x0000000001D50000-0x0000000001E6B000-memory.dmp
memory/1840-64-0x00000000002C0000-0x0000000000352000-memory.dmp
memory/1840-72-0x00000000002C0000-0x0000000000352000-memory.dmp
memory/2272-74-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2272-73-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1840-66-0x00000000002C0000-0x0000000000352000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab7A7D.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 12e3c96bd51f976d3efb8f6ac5c1ed4d |
| SHA1 | e4f39f69e321114450e6f24ceb70da3853810545 |
| SHA256 | cf2bfaa11394efc794aa4a1855eee619e72b2c7bd85a3418ac4083a1da976bf0 |
| SHA512 | 20f22afa8dbf59b0daa3996cc1652a8158af637d1244e1d91db86f73d85af7672440d4d80e9467ed94edebf5335aaf3b79645e95c85a7175a8db5e5aa1ff83ee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 085fbd5d300d51dc0d6c044135552021 |
| SHA1 | 33cb8290ac63d3593623c57c1a3ade1d471ec819 |
| SHA256 | 74587035115a21bade794ac1203a018ed76ffd118657f6b95f4275a708275aa3 |
| SHA512 | d3a11af9ff44c3a6cb0b068f0753c4aa9c5464a6c1546f2027211d5d9f089ea43445a933af8f152a520441f81ef7c8e888e5e16ae545f6de9ff51701d6888eb2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 7cbb7fc3b8714908e0df78eead4db236 |
| SHA1 | 0c6099bf71eade519502fba81966346b86322b19 |
| SHA256 | 7ef574bd3089c70e3396c34cffa67bbb9bab4fcaf23e2f272f24e27653e7814f |
| SHA512 | 8efd658549ca7263f688a869d8b2ba6a9dd55e8ce73ff33f2690c241ffa42779724e951c2dc12ae19a9f49ba4a7c3e9412b36e24c3e473300a27138bfe09c510 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 022452a2b0ec6c488292353f53b259dd |
| SHA1 | eae14b960462e427476faa46023d472be35e86de |
| SHA256 | c89cb303e3c0b6423d0b013f598b36273102469a842be6137ba8b0986d42039a |
| SHA512 | 22c2e2309261e05231fcc4a4526432243fbd46d8c980d8a47e8a1c5802fa09aab94ad2d25c0be2669e6b15482b35dd4d4e38eddefcb8dbceb0161f553cdc7068 |
memory/2272-88-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2272-87-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2644-62-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7C34.exe
| MD5 | 2ec5bf4cdacfa2c66740dd1394d837fa |
| SHA1 | 6370da235c5af89816a11bdc863b060e02ee5e6b |
| SHA256 | a57d515b1ed6beffd11acbd421d918acdb1a45fe81ba5c57573a019136fcb243 |
| SHA512 | 55c961b7ef980c7a1509f5789ca7b2c21cb4c4facfe000ec79f3adda725aa244be9248f327d1ec6455f6bab4abf9726f7bd28505b26cccbe3895f9828db30df6 |
memory/2304-97-0x0000000000590000-0x0000000000690000-memory.dmp
memory/2304-99-0x0000000000220000-0x00000000002A1000-memory.dmp
memory/2304-98-0x0000000000330000-0x0000000000331000-memory.dmp
memory/2304-96-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2272-103-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2272-106-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2272-105-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build2.exe
| MD5 | 9b00df1cca53e81d90dfc2548f8d9114 |
| SHA1 | a783bde9346c8ece56aa6fec12348fea40fdf6ec |
| SHA256 | 1ae4509fb8949fab80d4cc0fefec087af17e7c5654f2a66ac04f7372edaec5fe |
| SHA512 | 406e14898fadc9aa63021d15c1e23cc812f472c6dd1fb59a29de2c4660b573e26ba13b892b2d3755e29d6fe5fe30a4d1c0550e0aca9d0bf5ae936e59d3141ffc |
memory/860-120-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1728-123-0x0000000000240000-0x0000000000340000-memory.dmp
memory/860-122-0x0000000000400000-0x000000000063F000-memory.dmp
memory/1728-125-0x00000000003B0000-0x00000000003DC000-memory.dmp
memory/860-128-0x0000000000400000-0x000000000063F000-memory.dmp
memory/860-129-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2272-127-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar8BDC.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Temp\9070.exe
| MD5 | 2b82eb950c4b07624724358abaee1e17 |
| SHA1 | 35b7e43f3e60c7c9423773458715f65d010c854e |
| SHA256 | 883e014f638041cc942d1125a65846156b6a0af20f3a27883817ecc2ab0d6727 |
| SHA512 | 2099a58cfd73290572793c6a9f36b5f3fdb20117eb601dfd7f62246465901cc56449c6a5e6a852a383d7a44534221aca91405ef2a6f96c76ad30ad82f16f24af |
C:\Users\Admin\AppData\Local\27fae172-29ba-4284-b80e-6a4a9ccea09d\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2272-211-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1872-223-0x00000000000D0000-0x00000000000D1000-memory.dmp
memory/1872-227-0x00000000000D0000-0x00000000000D1000-memory.dmp
memory/1872-235-0x0000000001290000-0x0000000001B44000-memory.dmp
memory/1872-238-0x00000000000D0000-0x00000000000D1000-memory.dmp
memory/2192-244-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1068-242-0x0000000000220000-0x0000000000224000-memory.dmp
memory/1872-246-0x0000000001290000-0x0000000001B44000-memory.dmp
memory/2192-248-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2192-253-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2192-251-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1872-245-0x00000000770E0000-0x00000000770E1000-memory.dmp
memory/1068-239-0x0000000000950000-0x0000000000A50000-memory.dmp
memory/860-296-0x0000000000400000-0x000000000063F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FC9B.exe
| MD5 | 14f7c4b98e2c837e555d030bfbe740c4 |
| SHA1 | 695e50ac70754d449445343764d8a0c339323a04 |
| SHA256 | 585892aac1dd2104c9dc5badf75efbc0d5f363456c084741af5e251402473de0 |
| SHA512 | c72065546378ea95362d370b6e5fe6aa75e197c2a156193057f6ffe0f4c010ad3a2d7b6d024b02f7aee91b97dd6740833911107bcdb8a7fae2316e0ef8228cc5 |
memory/1764-307-0x00000000729A0000-0x000000007308E000-memory.dmp
memory/1764-306-0x0000000000EE0000-0x0000000000FA6000-memory.dmp
memory/1764-310-0x0000000000AF0000-0x0000000000BB8000-memory.dmp
memory/1764-309-0x0000000004B10000-0x0000000004B50000-memory.dmp
memory/1764-311-0x0000000000BC0000-0x0000000000C8A000-memory.dmp
memory/1764-317-0x0000000000BC0000-0x0000000000C83000-memory.dmp
memory/1764-319-0x0000000000BC0000-0x0000000000C83000-memory.dmp
memory/1764-315-0x0000000000BC0000-0x0000000000C83000-memory.dmp
memory/1764-313-0x0000000000BC0000-0x0000000000C83000-memory.dmp
memory/1764-312-0x0000000000BC0000-0x0000000000C83000-memory.dmp
memory/2000-891-0x0000000000920000-0x0000000000A20000-memory.dmp
memory/2084-899-0x00000000042D0000-0x00000000042D1000-memory.dmp
memory/1764-902-0x00000000729A0000-0x000000007308E000-memory.dmp
memory/1764-904-0x0000000004B10000-0x0000000004B50000-memory.dmp
memory/2084-912-0x00000000042D0000-0x00000000042D1000-memory.dmp
memory/2484-927-0x0000000000970000-0x0000000000A70000-memory.dmp
Analysis: behavioral2
Detonation Overview
Reported
0001-01-01 00:00