Analysis Overview
SHA256
800530878e98abcca258c08a58304dedeed1f5fe3e792b7bef8c6586b61084f6
Threat Level: Known bad
The file fb8ddd837ad8b94f1faf0b4920ce7b2b.bin was found to be: Known bad.
Malicious Activity Summary
Detect Vidar Stealer
Glupteba payload
Djvu Ransomware
Vidar
DcRat
Detected Djvu ransomware
Lumma Stealer
SmokeLoader
Glupteba
Modifies Windows Firewall
Downloads MZ/PE file
Deletes itself
Checks computer location settings
Modifies file permissions
Loads dropped DLL
Executes dropped EXE
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-08 03:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-08 03:18
Reported
2024-03-08 03:20
Platform
win7-20240221-en
Max time kernel
134s
Max time network
153s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\93807114-f534-48d5-b1e4-250b12fbfd4a\\EA9D.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\EA9D.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Vidar
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA9D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA9D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA9D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA9D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA9D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA9D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA9D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA9D.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\93807114-f534-48d5-b1e4-250b12fbfd4a\\EA9D.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\EA9D.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2528 set thread context of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\EA9D.exe | C:\Users\Admin\AppData\Local\Temp\EA9D.exe |
| PID 2824 set thread context of 1960 | N/A | C:\Users\Admin\AppData\Local\Temp\EA9D.exe | C:\Users\Admin\AppData\Local\Temp\EA9D.exe |
| PID 2064 set thread context of 2104 | N/A | C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe | C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe |
| PID 3044 set thread context of 2124 | N/A | C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe | C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe |
| PID 1956 set thread context of 2148 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1F16.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\harcbch | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\harcbch | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\harcbch | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\AppData\Local\Temp\41F3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\41F3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\41F3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" | C:\Users\Admin\AppData\Local\Temp\41F3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\41F3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\AppData\Local\Temp\41F3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" | C:\Users\Admin\AppData\Local\Temp\41F3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\41F3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\AppData\Local\Temp\41F3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\AppData\Local\Temp\41F3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\AppData\Local\Temp\41F3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\41F3.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\harcbch | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\41F3.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\41F3.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe
"C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe"
C:\Users\Admin\AppData\Local\Temp\EA9D.exe
C:\Users\Admin\AppData\Local\Temp\EA9D.exe
C:\Users\Admin\AppData\Local\Temp\EA9D.exe
C:\Users\Admin\AppData\Local\Temp\EA9D.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\93807114-f534-48d5-b1e4-250b12fbfd4a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\EA9D.exe
"C:\Users\Admin\AppData\Local\Temp\EA9D.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\EA9D.exe
"C:\Users\Admin\AppData\Local\Temp\EA9D.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe
"C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe"
C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
"C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe"
C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe
"C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe"
C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
"C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1444
C:\Windows\system32\taskeng.exe
taskeng.exe {4753503D-9C6A-40C0-A96F-E3DB8D6AA53D} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\harcbch
C:\Users\Admin\AppData\Roaming\harcbch
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\1F16.exe
C:\Users\Admin\AppData\Local\Temp\1F16.exe
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\32E5.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 124
C:\Users\Admin\AppData\Local\Temp\41F3.exe
C:\Users\Admin\AppData\Local\Temp\41F3.exe
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240308032022.log C:\Windows\Logs\CBS\CbsPersist_20240308032022.cab
C:\Users\Admin\AppData\Local\Temp\6369.exe
C:\Users\Admin\AppData\Local\Temp\6369.exe
C:\Users\Admin\AppData\Local\Temp\41F3.exe
"C:\Users\Admin\AppData\Local\Temp\41F3.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x51c
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| BA | 109.175.29.39:80 | sdfjhuz.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| BA | 109.175.29.39:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| BA | 185.12.79.25:80 | sajdfue.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| BA | 185.12.79.25:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| DE | 88.99.127.167:9000 | 88.99.127.167 | tcp |
| DE | 88.99.127.167:9000 | 88.99.127.167 | tcp |
| DE | 88.99.127.167:9000 | 88.99.127.167 | tcp |
| DE | 88.99.127.167:9000 | 88.99.127.167 | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | trypokemon.com | udp |
| US | 172.67.185.36:443 | trypokemon.com | tcp |
| US | 8.8.8.8:53 | loftproper.com | udp |
| US | 104.21.11.77:443 | loftproper.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 104.21.51.243:443 | valowaves.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | abdullahholdingsltd.com | udp |
| DE | 85.10.200.92:443 | abdullahholdingsltd.com | tcp |
| DE | 85.10.200.92:443 | abdullahholdingsltd.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | udp |
| US | 209.141.39.59:443 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | topgamecheats.dev | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | fd9f2912-7059-4173-833f-757577f77ab2.uuid.realupdate.ru | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
Files
memory/2208-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2208-1-0x0000000002070000-0x0000000002170000-memory.dmp
memory/2208-3-0x0000000000400000-0x0000000001F00000-memory.dmp
memory/1200-4-0x0000000002A50000-0x0000000002A66000-memory.dmp
memory/2208-5-0x0000000000400000-0x0000000001F00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EA9D.exe
| MD5 | fed6be759155cfd181809b6037a91abe |
| SHA1 | 41cc6892cc5ee0a7c2bffbb4fbd0df3567d16936 |
| SHA256 | f4bdcf13d4fdd1f30458719c10f7e27c2388cd0a7f9c70ee24d3c4f21dd3e58b |
| SHA512 | 187288dc2b379ef4c4e3ef6f2469411f1d152c1f459dca077bc485bb9d977bc267c950e6d12991e8fd1338be26f5a715009ad353d60e25daa8cf73ce68e133cc |
memory/2528-17-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2528-19-0x0000000003410000-0x000000000352B000-memory.dmp
memory/2392-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2528-18-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2392-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2392-27-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2392-28-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2392-48-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2824-51-0x00000000002F0000-0x0000000000382000-memory.dmp
memory/2824-53-0x00000000002F0000-0x0000000000382000-memory.dmp
memory/2824-59-0x00000000002F0000-0x0000000000382000-memory.dmp
memory/1960-60-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1960-61-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | f1a1355c24cea347e0b9839d27266ff2 |
| SHA1 | aa16684d6ff980f252d753931830de0cb9dcbe00 |
| SHA256 | 04bba3927fa7ceca147277002c36d32e6352a989d91d81afd7011949ad6bd6ef |
| SHA512 | 150b2f84f1461cda01092125a51c6bdd249cf448560367f08275192faa936e03526f9eda21c98458e057b7fe09a0a1c8f1cd3492d9662b8bd5041ec9dca21056 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 3ff1bc7c53cf232b58189187c7079204 |
| SHA1 | defd944164108bb59e7f8f8d7481b772eb7e8645 |
| SHA256 | 9dc09a0cb90bd61414059817047e59b78e96af2aea1ee2fd8feccd419ab9c756 |
| SHA512 | fb8950828dbba95a5749f0a95e2be818ab50e585df36df18cf997f01ba6783dde692968436619f86b32d08464aeb0f122e71174db00b586a9fcdeec2757eea1b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d090cdf599f93236b4bdf0039372b90d |
| SHA1 | 0473ed06ebc9d985f458cd287cb741ba925efa82 |
| SHA256 | 9ce2b4a227293e203a6989feea2286f1e39c2adaef54512e3a4ccade7805b5f5 |
| SHA512 | a7197d6a317ebd44811bcbbe9a8a801d63a2d99115989cf3072ec9cb3c6ffac6631aab48a614da5c8ac524b55d5d19baf2cbb615fb5378e44ebd8487e2afe911 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | a757a2a5fb2249733650563a36836fc7 |
| SHA1 | 0e3f0f05d3fb61398e507bcde88a32ec5a88b4a8 |
| SHA256 | 5b75679110beb7d514c1f6c7b993cd540dd29856da2e2e995bafb70e77d2bf4b |
| SHA512 | 8ed6aa61e91d640f2a8983fa67d937b2abcc5f5c43375a739773b991414094121efc4a049436dd39e45d8e627e57779f1c89352a606dffa406382d875de46b97 |
C:\Users\Admin\AppData\Local\Temp\Cab1890.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/1960-74-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1960-75-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1960-79-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1960-82-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1960-81-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1960-83-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe
| MD5 | d37b17fc3b9162060a60cd9c9f5f7e2c |
| SHA1 | 5bcd761db5662cebdb06f372d8cb731a9b98d1c5 |
| SHA256 | 36826a94f7aabd1f0d71abc6850e64a499768bd30cab361e8724d546e495e35f |
| SHA512 | 04b0fcc597afba17b8be46eacee58c7e8d38c7efa9247ab5b3cbf1ae3ed8dc2e6e909b7dab28b2a41f08fb37e950abb6ca97553adf0e20335c6864d942bef6ea |
memory/1960-106-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
| MD5 | 5c883ef6d1ad03173f30db4fc691d0a7 |
| SHA1 | 4007444885a94ad3092e287a196249bc6c1301ef |
| SHA256 | b1e0b896d1cdbe0cfe16d1d6f604640e2b22aeb144eb411086fa31d2073f316e |
| SHA512 | 125b18de452ee08cc42806f15864bb5429403ca696e385d5fb32d87cde841629e12f0d64c308c8ff7444d36c5da71e75fdc66733418bc886cad6a6e9ba7eb816 |
\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
| MD5 | 164bc11a628ff1722c833c8e2642aca5 |
| SHA1 | 56d2d17695a85b876b736933a7f1cd5cf2acfdb1 |
| SHA256 | e76e2fa66070991fff3747fd12185ec795651b8506f290a3f1214b0eab40d330 |
| SHA512 | 099d1715e47a2c4ea346b432f186ffb6fcd94f9ec6b28ffcf5047a57b686a0135e765db75150ac14420cb9285fb02c8d390751b239a2a9446219da587a89ce9b |
C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2104-111-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2064-112-0x0000000000240000-0x0000000000272000-memory.dmp
memory/2104-114-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2064-110-0x0000000002080000-0x0000000002180000-memory.dmp
memory/2104-118-0x0000000000400000-0x0000000000645000-memory.dmp
memory/3044-119-0x0000000000890000-0x0000000000990000-memory.dmp
memory/3044-120-0x0000000000220000-0x0000000000224000-memory.dmp
memory/2124-123-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2104-121-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2124-125-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2124-128-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2124-129-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar651A.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar6723.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6b036c055f4aad0c00b50c463e387b40 |
| SHA1 | 6588eb4c56777b71f2c7511eb8018da84ec4d19f |
| SHA256 | 063827a24a9dde07629920af417623ab1e3c082a8b4ed9c4978bbacf927e4429 |
| SHA512 | edacb63b8f88904dd5fcc108f2bc1f8079662317c05deca9e38764a41897062781d5a4942a0bc9beede69aab39bb3af570ad8bdd8d17efa4a139431b898b3eac |
memory/2104-261-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2104-267-0x0000000000400000-0x0000000000645000-memory.dmp
C:\Users\Admin\AppData\Roaming\harcbch
| MD5 | fb8ddd837ad8b94f1faf0b4920ce7b2b |
| SHA1 | c3bc51f18a1180be27c4ee0978aaa9e1295dbd4b |
| SHA256 | 29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee |
| SHA512 | db218213ee139583f69b00ea7e33986857cbc73f0e549f996e0dc3b0b34282c838f874a65c13fa7e21adfb8d876ca6cef9421a19171c214b1ea98b1a99f1bc74 |
memory/1956-282-0x00000000002F0000-0x00000000003F0000-memory.dmp
memory/1036-290-0x0000000000230000-0x0000000000330000-memory.dmp
memory/1036-291-0x0000000000400000-0x0000000001F00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1F16.exe
| MD5 | 9e52aa572f0afc888c098db4c0f687ff |
| SHA1 | ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b |
| SHA256 | 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443 |
| SHA512 | d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62 |
memory/1936-296-0x0000000000A90000-0x0000000001775000-memory.dmp
memory/1936-301-0x0000000000080000-0x0000000000081000-memory.dmp
memory/1200-306-0x0000000002C90000-0x0000000002CA6000-memory.dmp
memory/1936-304-0x0000000000080000-0x0000000000081000-memory.dmp
memory/1936-303-0x0000000000A90000-0x0000000001775000-memory.dmp
memory/1036-311-0x0000000000400000-0x0000000001F00000-memory.dmp
memory/1936-308-0x0000000000080000-0x0000000000081000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\32E5.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
\Users\Admin\AppData\Local\Temp\1F16.exe
| MD5 | a608f61eaa0defa4af7c6779114e10ee |
| SHA1 | 8e8e6e9c91a6932681a6748565cdf54ad9ac01cc |
| SHA256 | 3e3e07470c28d903408e581394a479fb15911212ea26b85c335c1bdeab87dfa6 |
| SHA512 | 4c02c4c5ae7f0e876a030f84bf8646bcf8bb694566f6e3ad8fd23ff3107b937f24b2871288b4cb36bc09234b952e7d329b3c0a1046ea2a15e2ce26af34a9a219 |
\Users\Admin\AppData\Local\Temp\1F16.exe
| MD5 | 1d017007945d9fd40318c4d1e2bef800 |
| SHA1 | f014362a16b798c2475e54f13d6918421cd00871 |
| SHA256 | d463f17969d74e8ac1ccd7b1e1ca21fc5ccf025920f1a1be3aeeaa0eb03f0fdf |
| SHA512 | f0f0778f820fb840f585dcf13c4793dcc8c0f908e3b0a0baec388d6c8696b7ca5f59902b5e84f21070bebd6e897b2a6a1a12312fd0575129e2e8a6cf9a0c7167 |
memory/1936-348-0x00000000001E0000-0x00000000001E1000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4c770d8b00ba45736a2e680300799e20 |
| SHA1 | ea5b9b8fdd4037e0d10ef0556404bdf1206a591d |
| SHA256 | f27af90da678568af3a833934cea24f1707bebdcb35826d30969f7ba729e367f |
| SHA512 | 035b409f488adc436ed4763eb6dc6e60eeb4ecd0925d07af7edec24718af520690592697a112318166e3765086688d15e46a2a7f98d6f64a370ab138664498ca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e3efb4ad1a28ca69ce0471253b644400 |
| SHA1 | 027b0955063d057c244a92624e9b1d562a27f12b |
| SHA256 | 42ae11f65fa99fd18ac5c0b07d87d6764372ca71e085df94ed79d9910ecec74f |
| SHA512 | b76f6b06994187f570fa1107a2e3de5c5890ec4b9790459e64fa78dd99bb1bd0f36f67fad5f184d7529512ae32b4a0890694b52b23071f8d6e594604cc32c201 |
C:\Users\Admin\AppData\Local\Temp\41F3.exe
| MD5 | 531e650166bd34380a22fc420d157565 |
| SHA1 | d2746da211530bc003ffc48904aade9edea63749 |
| SHA256 | 0446eebb9e91bfb557179d9e0ebccd42b8270554cca6ef696fd1b86c1a0290fd |
| SHA512 | ee2011bcfac0d470f9adc2a7972901d93a0ac81225393195e771c1b14fc603da19309883e960ef80918fc20b1f60e8aa2524ff34941986b98d5685080ad30f5f |
memory/2472-434-0x0000000003700000-0x0000000003AF8000-memory.dmp
memory/2472-435-0x0000000000400000-0x0000000001E13000-memory.dmp
memory/2472-436-0x0000000003B00000-0x00000000043EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\41F3.exe
| MD5 | 35c893e969426e8575c90e31140b4418 |
| SHA1 | 3c7081254af5161ed32d2cd180957f7c177143e5 |
| SHA256 | 3c1539b6cc4d4c166736ca5ac4fd2af4f847916417e269e9d8e72c7abb7dfca0 |
| SHA512 | c6d6754ccf0c20d66f619f75520a4cb0e7811b9d8df390580a573351474cfe3e551192296c7991abf8fe9fec43db5af9b50c6dae255efa281354f4d26255c055 |
\Users\Admin\AppData\Local\Temp\6369.exe
| MD5 | 2bd1aca75be77faf41c4bce644b4fc8b |
| SHA1 | a4b2767b2163173aae22124d4e78715ae9eaf188 |
| SHA256 | e2480e0438058403732c979ee61fefe67d2502fbf9aaee8e7b956dda7b9085eb |
| SHA512 | cf144941ecaf50b768d94c4f43305fe809218833997e2099622802e5a5247a1ff64bed3f41b96ad0d914ad12700b0e737c26b545a4ef403520095c99c0a0d9c8 |
C:\Users\Admin\AppData\Local\Temp\6369.exe
| MD5 | 6ae4f4b0c586a01c107f80dd6355354f |
| SHA1 | 384550d5f815aade2ca06586c54e4732862b3b52 |
| SHA256 | b8aa2c428216817d3879531763c4a18c93f949b16105eab19d777960540a4d6b |
| SHA512 | 5021e9a7b6845b0acc951b0d9c89622c3eed1a978944e9ee87231d4d59e57fde5d211c6e8705e2ac61396e8334670c01528aefbbbf0b10bddb1ff5a8818d8031 |
memory/2472-451-0x0000000003700000-0x0000000003AF8000-memory.dmp
memory/2472-450-0x0000000000400000-0x0000000001E13000-memory.dmp
memory/2548-452-0x0000000003830000-0x0000000003C28000-memory.dmp
memory/2548-453-0x0000000000400000-0x0000000001E13000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 19f916293b92fe0442fa99a063133136 |
| SHA1 | 8546eea89ccc6a14d49989ad4dcd3a61b5b506cb |
| SHA256 | 26386feb18e3de155565c3c59a7a1c750c237033011ddce042a50a58ff4f2960 |
| SHA512 | 610c60faa230ac11a0df3adfc6588e3f859ba821eaf483a7654a6980822772772466d19d0d447d71310c9c8a60ef78d679b1a62f4de3287fb7e0b49d5b9031c6 |
\Windows\rss\csrss.exe
| MD5 | c7cfac667cecc66fd8ed28c6b21e7f3c |
| SHA1 | b18f4285a7e0a08a33c1a9bd5f18733d7de3083a |
| SHA256 | 954be76c57653e85459fc1213daffa1e9b9489a0ebda7b20a41f2dea4ef44fb5 |
| SHA512 | 609efd107b717d7537054ebad93e0d065926cc208e05855f4394b7040d71474b468cf8a74fe845503cd048615087bf2196d6d952a5c140946a852be8e25fde74 |
\Windows\rss\csrss.exe
| MD5 | 241ee2ba95babc9e093d2d579824864c |
| SHA1 | 2264e7489180768976392e51ee8dea62c12a0277 |
| SHA256 | b4f4da977eab5e59a886a8aa0f26d42484bd9af56aa93e299126cb952a3a04cd |
| SHA512 | 2d58f91991d71b66d5dcb3048f30b6af495385b537f1e353ae73e1943c5f578dfab28c0149d08a980b76bd95eaed3dbbd9c19b81d5fdebefcb7e483ffc1370d6 |
memory/2548-464-0x0000000000400000-0x0000000001E13000-memory.dmp
memory/1936-468-0x0000000000A90000-0x0000000001775000-memory.dmp
memory/2676-476-0x0000000003570000-0x0000000003968000-memory.dmp
memory/2676-477-0x0000000000400000-0x0000000001E13000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 79d239e8c3993b4122bc6c69aa75b98e |
| SHA1 | 00b153573dbb5e073483ed20fa52c0e858ef50e3 |
| SHA256 | 416f2e005ca28fe636aa88cdf9a58d1301053d93a29d4201fb0eb711885b3e52 |
| SHA512 | 52c1a997f64b317071d37c114d3869055c5085802c1742ac7f471b6960671927707edf27ee44907912d47533a7c0be274279af1ab78fd1da3803c524af5a27ba |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 03e03703fe5fc79e7f1d5e44e3c27b1e |
| SHA1 | 8f25ba10b5e479ae63c4c3867475502e1a6499fa |
| SHA256 | 504111bf8fb1386663a5f92bab46dc7b1171fb9c9a8b8cd100945a6c6bde311e |
| SHA512 | 1926c83c1f301800c289b16458ae30bc0927b231a5b11b12663d8a608c5ded27d8d73987ec6af46011e2f2b4e7e4c65fa7cfd50e5370d00e47784982874b88fa |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 9d1816a549b92f97216a11d5e541b2ce |
| SHA1 | 02abed0ad44b8cde7640ad8661816ea0c0f68572 |
| SHA256 | a3549e3cfff43ae683b5b5a40a881e979c176e4bb67f13ece117f2f96c20d9bd |
| SHA512 | a29425491cc9db686223586a7a88774065a064fe0582221e19d81b5edd575ad939e0bc98d4191d93ca45e70d9580ec1c55fed25c91ddb253ab1ef5c251cf1967 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
memory/744-500-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1a05839f32656c4e266f2b31fe4bed21 |
| SHA1 | 3ae8b7dfe496ec329fa5ba7647e2acdfab97a05b |
| SHA256 | 9bafe38819a2e8878e8280cf3b03ffe8c84c31c1395d1741eed2fa311234f7b9 |
| SHA512 | 9bea2d55b970cf1d7a8ceb269364044199897b00a79b7190fc207cd962956b94ea80a043f770578f0137eae008c942e4ffea57069c1fc38119b1550f234feb61 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-08 03:18
Reported
2024-03-08 03:20
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
158s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
SmokeLoader
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\41D6.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\41D6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\41D6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\41D6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\41D6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ificwsh | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8729.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9CD6.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\51a9255f-390b-435a-a03d-578945d2dea1\\41D6.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\41D6.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3336 set thread context of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\41D6.exe | C:\Users\Admin\AppData\Local\Temp\41D6.exe |
| PID 4588 set thread context of 2060 | N/A | C:\Users\Admin\AppData\Local\Temp\41D6.exe | C:\Users\Admin\AppData\Local\Temp\41D6.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\41D6.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ificwsh | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ificwsh | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ificwsh | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ificwsh | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe
"C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe"
C:\Users\Admin\AppData\Local\Temp\41D6.exe
C:\Users\Admin\AppData\Local\Temp\41D6.exe
C:\Users\Admin\AppData\Local\Temp\41D6.exe
C:\Users\Admin\AppData\Local\Temp\41D6.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\51a9255f-390b-435a-a03d-578945d2dea1" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\41D6.exe
"C:\Users\Admin\AppData\Local\Temp\41D6.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\41D6.exe
"C:\Users\Admin\AppData\Local\Temp\41D6.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2060 -ip 2060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 568
C:\Users\Admin\AppData\Roaming\ificwsh
C:\Users\Admin\AppData\Roaming\ificwsh
C:\Users\Admin\AppData\Local\Temp\8729.exe
C:\Users\Admin\AppData\Local\Temp\8729.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8BAE.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\9CD6.exe
C:\Users\Admin\AppData\Local\Temp\9CD6.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 70.174.106.193.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| KR | 211.119.84.111:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 111.84.119.211.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | trypokemon.com | udp |
| US | 172.67.185.36:443 | trypokemon.com | tcp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 104.21.94.2:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | loftproper.com | udp |
| US | 104.21.11.77:443 | loftproper.com | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 104.21.80.118:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | 36.185.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.94.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.11.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 172.67.195.126:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | 118.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 104.21.76.253:443 | turkeyunlikelyofw.shop | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.147.67.172.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 104.21.51.243:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | 243.51.21.104.in-addr.arpa | udp |
Files
memory/324-1-0x00000000021C0000-0x00000000022C0000-memory.dmp
memory/324-2-0x0000000002160000-0x000000000216B000-memory.dmp
memory/324-3-0x0000000000400000-0x0000000001F00000-memory.dmp
memory/3344-4-0x00000000024B0000-0x00000000024C6000-memory.dmp
memory/324-5-0x0000000000400000-0x0000000001F00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\41D6.exe
| MD5 | fed6be759155cfd181809b6037a91abe |
| SHA1 | 41cc6892cc5ee0a7c2bffbb4fbd0df3567d16936 |
| SHA256 | f4bdcf13d4fdd1f30458719c10f7e27c2388cd0a7f9c70ee24d3c4f21dd3e58b |
| SHA512 | 187288dc2b379ef4c4e3ef6f2469411f1d152c1f459dca077bc485bb9d977bc267c950e6d12991e8fd1338be26f5a715009ad353d60e25daa8cf73ce68e133cc |
memory/3336-16-0x0000000003740000-0x00000000037DC000-memory.dmp
memory/3336-17-0x00000000037E0000-0x00000000038FB000-memory.dmp
memory/2580-18-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2580-20-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2580-21-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2580-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2580-32-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4588-35-0x0000000001D20000-0x0000000001DC2000-memory.dmp
memory/2060-38-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2060-39-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2060-41-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Roaming\ificwsh
| MD5 | fb8ddd837ad8b94f1faf0b4920ce7b2b |
| SHA1 | c3bc51f18a1180be27c4ee0978aaa9e1295dbd4b |
| SHA256 | 29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee |
| SHA512 | db218213ee139583f69b00ea7e33986857cbc73f0e549f996e0dc3b0b34282c838f874a65c13fa7e21adfb8d876ca6cef9421a19171c214b1ea98b1a99f1bc74 |
memory/4380-47-0x0000000002030000-0x0000000002130000-memory.dmp
memory/4380-48-0x0000000000400000-0x0000000001F00000-memory.dmp
memory/3344-49-0x0000000002680000-0x0000000002696000-memory.dmp
memory/4380-50-0x0000000000400000-0x0000000001F00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8729.exe
| MD5 | 0a2ce3c3650ff5a51aef60b7f14f30c2 |
| SHA1 | 2332b0b94b614205f45a43d1d025f4985f056de0 |
| SHA256 | 32262f826b78815fd8f9043bea69e04d4d8bd9ff85c10b831f85472bafa5f0b8 |
| SHA512 | 683478df64cd1bd8790fb96e2999ea8e0d1bd35afc8c164974741c13163e133366140b5f400c05d1e92cf5f37f3a33cebd182771c3b85c637e6b5509f3c3568c |
C:\Users\Admin\AppData\Local\Temp\8729.exe
| MD5 | f288edcc3a1f8e8d2e3b0ce1989a3312 |
| SHA1 | 024df82d2ca4830c4ccbd0afee9f2e5ae764436a |
| SHA256 | 3f61c08f68e1683c10ee02753c70dbe3d9774b9b9e377d844ffeac63a31dbc5e |
| SHA512 | c9e4113b66db3fd37e8e1ae9599787c1bcc04b0fedcd9e1451013a25cc8c66b042a4d89e3a9ab30796f3b924f6d9ca6050db39296d2e01d898283e803e3e39e6 |
C:\Users\Admin\AppData\Local\Temp\8BAE.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
memory/2000-63-0x00000000005C0000-0x00000000012A5000-memory.dmp
memory/2000-68-0x00000000032B0000-0x00000000032B1000-memory.dmp
memory/2000-70-0x00000000005C0000-0x00000000012A5000-memory.dmp
memory/2000-69-0x00000000032C0000-0x00000000032C1000-memory.dmp
memory/2000-71-0x00000000032F0000-0x00000000032F1000-memory.dmp
memory/2000-72-0x0000000003300000-0x0000000003301000-memory.dmp
memory/2000-73-0x0000000003310000-0x0000000003311000-memory.dmp
memory/2000-74-0x0000000003320000-0x0000000003321000-memory.dmp
memory/2000-75-0x00000000005C0000-0x00000000012A5000-memory.dmp
memory/2000-76-0x0000000003340000-0x0000000003372000-memory.dmp
memory/2000-77-0x0000000003340000-0x0000000003372000-memory.dmp
memory/2000-78-0x0000000003340000-0x0000000003372000-memory.dmp
memory/2000-80-0x0000000003340000-0x0000000003372000-memory.dmp
memory/2000-79-0x0000000003340000-0x0000000003372000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9CD6.exe
| MD5 | 531e650166bd34380a22fc420d157565 |
| SHA1 | d2746da211530bc003ffc48904aade9edea63749 |
| SHA256 | 0446eebb9e91bfb557179d9e0ebccd42b8270554cca6ef696fd1b86c1a0290fd |
| SHA512 | ee2011bcfac0d470f9adc2a7972901d93a0ac81225393195e771c1b14fc603da19309883e960ef80918fc20b1f60e8aa2524ff34941986b98d5685080ad30f5f |
memory/2000-86-0x00000000005C0000-0x00000000012A5000-memory.dmp
memory/1188-87-0x0000000003B70000-0x0000000003F72000-memory.dmp
memory/1188-88-0x0000000003F80000-0x000000000486B000-memory.dmp
memory/1188-89-0x0000000000400000-0x0000000001E13000-memory.dmp
memory/1532-91-0x00000000744C0000-0x0000000074C70000-memory.dmp
memory/1532-90-0x0000000002720000-0x0000000002756000-memory.dmp
memory/1532-92-0x0000000002350000-0x0000000002360000-memory.dmp
memory/1532-93-0x0000000002350000-0x0000000002360000-memory.dmp
memory/1532-94-0x0000000004EF0000-0x0000000005518000-memory.dmp
memory/1532-95-0x0000000004D40000-0x0000000004D62000-memory.dmp
memory/1532-97-0x0000000005690000-0x00000000056F6000-memory.dmp
memory/1532-96-0x0000000005620000-0x0000000005686000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k4004tl3.ie3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1532-107-0x0000000005700000-0x0000000005A54000-memory.dmp
memory/1532-108-0x0000000005D00000-0x0000000005D1E000-memory.dmp
memory/1532-109-0x0000000005D60000-0x0000000005DAC000-memory.dmp