Malware Analysis Report

2025-01-02 11:12

Sample ID 240310-yf9jbsba9w
Target 1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e
SHA256 1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e
Tags
dcrat djvu smokeloader vidar e2da5861d01d391b927839bbec00e666 pub1 backdoor discovery infostealer persistence ransomware rat stealer trojan lumma zgrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e

Threat Level: Known bad

The file 1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e was found to be: Known bad.

Malicious Activity Summary

dcrat djvu smokeloader vidar e2da5861d01d391b927839bbec00e666 pub1 backdoor discovery infostealer persistence ransomware rat stealer trojan lumma zgrat

Detect ZGRat V1

Detect Vidar Stealer

Lumma Stealer

DcRat

Djvu Ransomware

ZGRat

Vidar

SmokeLoader

Detected Djvu ransomware

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Detects Windows executables referencing non-Windows User-Agents

Downloads MZ/PE file

Executes dropped EXE

Modifies file permissions

Deletes itself

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-10 19:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-10 19:44

Reported

2024-03-10 19:47

Platform

win7-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ec563fd8-b598-4da5-b8f8-3eacad193e6b\\5429.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5429.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ec563fd8-b598-4da5-b8f8-3eacad193e6b\\5429.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5429.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 2824 N/A N/A C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 2824 N/A N/A C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 2824 N/A N/A C:\Windows\system32\cmd.exe
PID 2824 wrote to memory of 1360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2824 wrote to memory of 1360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2824 wrote to memory of 1360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1208 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 1208 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 1208 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 1208 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2892 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2892 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2892 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2892 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2892 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2892 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2892 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2892 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2892 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2892 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2892 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2648 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Windows\SysWOW64\icacls.exe
PID 2648 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Windows\SysWOW64\icacls.exe
PID 2648 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Windows\SysWOW64\icacls.exe
PID 2648 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Windows\SysWOW64\icacls.exe
PID 2648 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2648 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2648 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2648 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2384 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2384 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2384 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2384 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2384 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2384 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2384 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2384 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2384 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2384 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 2384 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\Temp\5429.exe
PID 1956 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe
PID 1956 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe
PID 1956 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe
PID 1956 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe
PID 1956 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe
PID 1956 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe
PID 1956 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe
PID 1956 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\5429.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe
PID 1616 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe
PID 1616 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe
PID 1616 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe
PID 1616 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe
PID 1616 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe
PID 1616 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe
PID 1616 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe
PID 1616 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe
PID 1616 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe
PID 1616 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe
PID 1616 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe
PID 1804 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe
PID 1804 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe
PID 1804 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe
PID 1804 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe
PID 1804 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe

"C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\32D3.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\5429.exe

C:\Users\Admin\AppData\Local\Temp\5429.exe

C:\Users\Admin\AppData\Local\Temp\5429.exe

C:\Users\Admin\AppData\Local\Temp\5429.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\ec563fd8-b598-4da5-b8f8-3eacad193e6b" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\5429.exe

"C:\Users\Admin\AppData\Local\Temp\5429.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5429.exe

"C:\Users\Admin\AppData\Local\Temp\5429.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe

"C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe"

C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe

"C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe"

C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe

"C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe"

C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe

"C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 1468

C:\Windows\system32\taskeng.exe

taskeng.exe {8C5FF458-025A-440D-A792-94536AED20DC} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\DCBA.exe

C:\Users\Admin\AppData\Local\Temp\DCBA.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\E1DA.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\1318.exe

C:\Users\Admin\AppData\Local\Temp\1318.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
PE 190.117.160.108:80 sdfjhuz.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 bitbucket.org udp
AU 104.192.141.1:443 bitbucket.org tcp
AU 104.192.141.1:443 bitbucket.org tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 104.21.65.24:443 api.2ip.ua tcp
PE 190.117.160.108:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
AR 190.220.21.28:80 sajdfue.com tcp
AR 190.220.21.28:80 sajdfue.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
DE 49.13.89.149:443 49.13.89.149 tcp
DE 49.13.89.149:443 49.13.89.149 tcp
DE 49.13.89.149:443 49.13.89.149 tcp
DE 49.13.89.149:443 49.13.89.149 tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 104.21.51.243:443 valowaves.com tcp

Files

memory/2136-1-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/2136-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2136-3-0x0000000000400000-0x000000000046B000-memory.dmp

memory/2136-5-0x0000000000400000-0x000000000046B000-memory.dmp

memory/1208-4-0x0000000002A00000-0x0000000002A16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\32D3.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\5429.exe

MD5 34fde9d03541c0ed5419a5f836e484c6
SHA1 06b08899348a41347284ca56cefd02783a2e4e90
SHA256 419b2e437adbe8a00d794e190d387ce91a24243227418c33b5a556adcda46bd1
SHA512 880c0a3f1b47aeac1b96f6e775e693921803dfcf5fb99352ec92f7cc9d89e1a05cdb01408e7de6580818c2431df022ba953b555711a7e5e4de85de01113a1488

memory/2892-26-0x00000000002D0000-0x0000000000362000-memory.dmp

memory/2892-27-0x00000000002D0000-0x0000000000362000-memory.dmp

memory/2892-30-0x0000000001E30000-0x0000000001F4B000-memory.dmp

memory/2648-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2648-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2892-36-0x00000000002D0000-0x0000000000362000-memory.dmp

memory/2648-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2648-38-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\5429.exe

MD5 9bae76361c0ac7402418f89e141502a7
SHA1 dde58fea1bb0c67f6ac7b79df84215c768862981
SHA256 1397728a05b9834b1cd907acb926fa13c82d1b8e51a6dd5438008c39dbe3a511
SHA512 0b9e1ce7f898cf236b1dcfa64ad8c028633074647f393316df5723efd42c7122a77143ed8c901132b7bd2fa1c0d61941b6df03f9d7ad247506d8125ce931fce0

memory/2384-60-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2384-62-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2648-59-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1956-69-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1956-70-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54fcc88719bd16dd01b6f728162c598e
SHA1 b7b18ee4df2c5f059a160396431953166f4b9d5e
SHA256 7d98dced4a198056905ff491ff2ead9fc20d382f27bfa34417f6176230e9694f
SHA512 9eb3f1c397db85f8873f4194918ea6292be3a5daed218f911a10ac994ef8f4360e60c417e4ba9c230d59a1b24894f752738d40a6fb127335b03cf47d821874bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 2c0b5c750e841aad9332e8c14bad9d4a
SHA1 50b504c86dbc47a06ccdcb155d3bafa70e65b091
SHA256 8786c222ffffb5a5b216c445c5cc0934d9fbe9d53d088fa66b88ff18fc137ff8
SHA512 eec8afe69c1774965d7b789cf74f2fed9c63cbe2b9b23a48e940646f29db40f38d6a90d08f4ed4d6efa5e90519c11a1826a135b8e45acd6aaaaa354a9c4886ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7e8f359f842f63d4f8e11b673e763622
SHA1 a7865040b538d6aaa80bc37e89372c61b7427be8
SHA256 f04843e27ab3a622e565eea01945462567d713146b1cbca62c89d2495e924450
SHA512 f417bf439068b5205190c6ca559d14b0aa4a19af87530fc4e46eda587f80281cb8e567bf6caaa74b02f29f1247afec461eebf2ce1e6a079f675d1f304c9b1fd4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 89448e497b47ab299d1443b597793cdc
SHA1 dce7847680f538bf7998550b8d62c01085d052f9
SHA256 a6e60ad9c5a08fe2d84a51f14f2d090d9896ec0f2d351ac6607ed730bab36890
SHA512 f70f9d69ff3c5617f12fcfc95825f2088e48bd067ed2416b0eb788fb65f3b96231c6763d82fd6d70ecaef1a3229319d06cecd65678d0fd1f95b2abd9f1423191

C:\Users\Admin\AppData\Local\Temp\Cab89C9.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/1956-83-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1956-84-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1956-88-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1956-90-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1956-91-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1956-92-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe

MD5 d37b17fc3b9162060a60cd9c9f5f7e2c
SHA1 5bcd761db5662cebdb06f372d8cb731a9b98d1c5
SHA256 36826a94f7aabd1f0d71abc6850e64a499768bd30cab361e8724d546e495e35f
SHA512 04b0fcc597afba17b8be46eacee58c7e8d38c7efa9247ab5b3cbf1ae3ed8dc2e6e909b7dab28b2a41f08fb37e950abb6ca97553adf0e20335c6864d942bef6ea

memory/1956-114-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1616-118-0x0000000002350000-0x0000000002450000-memory.dmp

memory/1616-119-0x0000000000240000-0x0000000000272000-memory.dmp

memory/2344-121-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2344-123-0x0000000000400000-0x0000000000645000-memory.dmp

memory/2344-126-0x0000000000400000-0x0000000000645000-memory.dmp

memory/2344-127-0x0000000000400000-0x0000000000645000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarB990.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\TarBD8C.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/1804-207-0x0000000000890000-0x0000000000990000-memory.dmp

memory/1804-209-0x0000000000220000-0x0000000000224000-memory.dmp

memory/1576-210-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1576-212-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1576-215-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1576-217-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1576-238-0x0000000000410000-0x0000000000477000-memory.dmp

memory/2344-285-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1836-303-0x0000000000920000-0x0000000000A20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DCBA.exe

MD5 9e52aa572f0afc888c098db4c0f687ff
SHA1 ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA256 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512 d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

memory/440-315-0x0000000000F80000-0x0000000001C65000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-10 19:44

Reported

2024-03-10 19:47

Platform

win10v2004-20240226-en

Max time kernel

154s

Max time network

176s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DBF5.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\21f12759-31e3-4760-a46e-0a933afd6000\\DBF5.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\DBF5.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3940 set thread context of 4376 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 2020 set thread context of 3964 N/A C:\Users\Admin\AppData\Local\Temp\EDC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2544 set thread context of 3324 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3332 wrote to memory of 392 N/A N/A C:\Windows\system32\cmd.exe
PID 3332 wrote to memory of 392 N/A N/A C:\Windows\system32\cmd.exe
PID 392 wrote to memory of 4404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 392 wrote to memory of 4404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3332 wrote to memory of 3940 N/A N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 3332 wrote to memory of 3940 N/A N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 3332 wrote to memory of 3940 N/A N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 3940 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 3940 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 3940 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 3940 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 3940 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 3940 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 3940 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 3940 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 3940 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 3940 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 3332 wrote to memory of 2020 N/A N/A C:\Users\Admin\AppData\Local\Temp\EDC8.exe
PID 3332 wrote to memory of 2020 N/A N/A C:\Users\Admin\AppData\Local\Temp\EDC8.exe
PID 3332 wrote to memory of 2020 N/A N/A C:\Users\Admin\AppData\Local\Temp\EDC8.exe
PID 4376 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Windows\SysWOW64\icacls.exe
PID 4376 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Windows\SysWOW64\icacls.exe
PID 4376 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Windows\SysWOW64\icacls.exe
PID 2020 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\EDC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2020 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\EDC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2020 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\EDC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2020 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\EDC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2020 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\EDC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2020 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\EDC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2020 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\EDC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2020 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\EDC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2020 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\EDC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2020 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\EDC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2020 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\EDC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2020 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\EDC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4376 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 4376 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 4376 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 2544 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 2544 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 2544 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 2544 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 2544 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 2544 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 2544 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 2544 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 2544 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 2544 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\DBF5.exe C:\Users\Admin\AppData\Local\Temp\DBF5.exe
PID 3332 wrote to memory of 2496 N/A N/A C:\Users\Admin\AppData\Local\Temp\19B6.exe
PID 3332 wrote to memory of 2496 N/A N/A C:\Users\Admin\AppData\Local\Temp\19B6.exe
PID 3332 wrote to memory of 2496 N/A N/A C:\Users\Admin\AppData\Local\Temp\19B6.exe
PID 3332 wrote to memory of 4196 N/A N/A C:\Windows\system32\cmd.exe
PID 3332 wrote to memory of 4196 N/A N/A C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 3488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4196 wrote to memory of 3488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3332 wrote to memory of 3080 N/A N/A C:\Users\Admin\AppData\Local\Temp\5450.exe
PID 3332 wrote to memory of 3080 N/A N/A C:\Users\Admin\AppData\Local\Temp\5450.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe

"C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BF73.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5084 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\DBF5.exe

C:\Users\Admin\AppData\Local\Temp\DBF5.exe

C:\Users\Admin\AppData\Local\Temp\DBF5.exe

C:\Users\Admin\AppData\Local\Temp\DBF5.exe

C:\Users\Admin\AppData\Local\Temp\EDC8.exe

C:\Users\Admin\AppData\Local\Temp\EDC8.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\21f12759-31e3-4760-a46e-0a933afd6000" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\DBF5.exe

"C:\Users\Admin\AppData\Local\Temp\DBF5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\DBF5.exe

"C:\Users\Admin\AppData\Local\Temp\DBF5.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3324 -ip 3324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 568

C:\Users\Admin\AppData\Local\Temp\19B6.exe

C:\Users\Admin\AppData\Local\Temp\19B6.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\237B.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\5450.exe

C:\Users\Admin\AppData\Local\Temp\5450.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
NL 172.217.23.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 70.174.106.193.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
UY 179.25.61.186:80 sdfjhuz.com tcp
US 8.8.8.8:53 186.61.25.179.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 bitbucket.org udp
AU 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 superemeboxlogosites.pro udp
US 188.114.96.2:443 superemeboxlogosites.pro tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 wisemassiveharmonious.shop udp
US 172.67.181.250:443 wisemassiveharmonious.shop tcp
US 8.8.8.8:53 colorfulequalugliess.shop udp
US 172.67.185.152:443 colorfulequalugliess.shop tcp
US 8.8.8.8:53 250.181.67.172.in-addr.arpa udp
US 8.8.8.8:53 relevantvoicelesskw.shop udp
US 172.67.147.173:443 relevantvoicelesskw.shop tcp
US 8.8.8.8:53 152.185.67.172.in-addr.arpa udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 8.8.8.8:53 173.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 188.114.97.2:443 valowaves.com tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 hadogarden.com udp
VN 103.216.113.30:443 hadogarden.com tcp
US 8.8.8.8:53 30.113.216.103.in-addr.arpa udp

Files

memory/800-1-0x0000000000610000-0x0000000000710000-memory.dmp

memory/800-2-0x00000000005D0000-0x00000000005DB000-memory.dmp

memory/800-3-0x0000000000400000-0x000000000046B000-memory.dmp

memory/800-5-0x0000000000400000-0x000000000046B000-memory.dmp

memory/3332-4-0x0000000002A30000-0x0000000002A46000-memory.dmp

memory/800-8-0x00000000005D0000-0x00000000005DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BF73.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\DBF5.exe

MD5 34fde9d03541c0ed5419a5f836e484c6
SHA1 06b08899348a41347284ca56cefd02783a2e4e90
SHA256 419b2e437adbe8a00d794e190d387ce91a24243227418c33b5a556adcda46bd1
SHA512 880c0a3f1b47aeac1b96f6e775e693921803dfcf5fb99352ec92f7cc9d89e1a05cdb01408e7de6580818c2431df022ba953b555711a7e5e4de85de01113a1488

memory/3940-21-0x00000000004C0000-0x0000000000560000-memory.dmp

memory/3940-22-0x0000000002200000-0x000000000231B000-memory.dmp

memory/4376-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4376-25-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EDC8.exe

MD5 756931963ef47d8261e3090770710355
SHA1 074e49a53dc0dea819a2ce9b487982f0ac114d86
SHA256 6a103e31e7c1990a5f21e6ad483805b01fdbabe9fd9454f42aab0eda9b5d67cf
SHA512 231458212051567f7549a7d24d0d956219e33480fbba3428b2259d571265802aa9b8727998f6c5bf62e30c1ec673619506b5cb9d1220c738af0685be2ec397ce

memory/4376-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4376-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2020-33-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/2020-34-0x0000000000D10000-0x0000000000D96000-memory.dmp

memory/2020-35-0x0000000003250000-0x0000000003260000-memory.dmp

memory/4376-46-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3964-47-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2020-50-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/2020-51-0x00000000032F0000-0x00000000052F0000-memory.dmp

memory/3964-53-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3964-55-0x0000000000DB0000-0x0000000000DE2000-memory.dmp

memory/3964-54-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3964-57-0x0000000000DB0000-0x0000000000DE2000-memory.dmp

memory/3964-56-0x0000000000DB0000-0x0000000000DE2000-memory.dmp

memory/3964-58-0x0000000000DB0000-0x0000000000DE2000-memory.dmp

memory/3964-59-0x0000000000DB0000-0x0000000000DE2000-memory.dmp

memory/4376-61-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2544-64-0x0000000000590000-0x0000000000630000-memory.dmp

memory/3324-68-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3324-67-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3324-70-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2020-73-0x00000000032F0000-0x00000000052F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\19B6.exe

MD5 9e52aa572f0afc888c098db4c0f687ff
SHA1 ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA256 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512 d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

memory/2496-78-0x0000000000400000-0x00000000010E5000-memory.dmp

memory/2496-86-0x0000000001640000-0x0000000001641000-memory.dmp

memory/2496-88-0x0000000000400000-0x00000000010E5000-memory.dmp

memory/2496-89-0x0000000001790000-0x0000000001791000-memory.dmp

memory/2496-87-0x0000000001760000-0x0000000001761000-memory.dmp

memory/2496-90-0x00000000017A0000-0x00000000017A1000-memory.dmp

memory/2496-91-0x00000000017B0000-0x00000000017B1000-memory.dmp

memory/2496-92-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2496-94-0x0000000000400000-0x00000000010E5000-memory.dmp

memory/2496-95-0x0000000003280000-0x0000000003281000-memory.dmp

memory/2496-96-0x0000000003280000-0x00000000032B2000-memory.dmp

memory/2496-98-0x0000000003280000-0x00000000032B2000-memory.dmp

memory/2496-97-0x0000000003280000-0x00000000032B2000-memory.dmp

memory/2496-99-0x0000000003280000-0x00000000032B2000-memory.dmp

memory/2496-100-0x0000000000400000-0x00000000010E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5450.exe

MD5 859a09d58d1c5e2e82dfb047151e8653
SHA1 1971adde3e3535f7d7db24a8ef22284b45062437
SHA256 6e214982f41ce44d7e768bf8f01484120101afefaddb8b66a7d332709d40294b
SHA512 b040ad6c65dfb1da2d9abbdd99a4adf1abbf357d913780e214938af0d6f7a1b7778fb6ad763d8abfea71f2902fffa7b75d5d14272d248bad8ba07243787c8693

C:\Users\Admin\AppData\Local\Temp\5450.exe

MD5 8550a2827ea5838ec8df7ff6fd10e6ce
SHA1 c8ce1f265d516f063f7db92e341a59a4568cc484
SHA256 02147ca0fdeec2804183385003397b5b10145d2027327a3b928acc0d2c00d527
SHA512 d1d6b8ce2411a8c5191bfb948bbfe455846fa2e6357bd5c7aeb78722776abc6ae529b4701439d1389b9de51b6ba00e8bba0fe39f17f39e423563b463bd61b9c9

memory/3080-105-0x00007FF6D2F40000-0x00007FF6D3BA2000-memory.dmp