Analysis Overview
SHA256
fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9
Threat Level: Known bad
The file fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9 was found to be: Known bad.
Malicious Activity Summary
Vidar
Djvu Ransomware
Detected Djvu ransomware
Detect Vidar Stealer
SmokeLoader
DcRat
Downloads MZ/PE file
Loads dropped DLL
Deletes itself
Modifies file permissions
Executes dropped EXE
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Creates scheduled task(s)
Checks SCSI registry key(s)
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-12 14:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-12 14:14
Reported
2024-03-12 14:16
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
154s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe
"C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tradein-myus.com | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trade-inmyus.com | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 13.107.21.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.21.107.13.in-addr.arpa | udp |
Files
memory/4260-1-0x00000000005D0000-0x00000000006D0000-memory.dmp
memory/4260-2-0x0000000000550000-0x000000000055B000-memory.dmp
memory/4260-3-0x0000000000400000-0x0000000000474000-memory.dmp
memory/3268-4-0x00000000028C0000-0x00000000028D6000-memory.dmp
memory/4260-5-0x0000000000400000-0x0000000000474000-memory.dmp
memory/4260-8-0x0000000000550000-0x000000000055B000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-12 14:14
Reported
2024-03-12 14:16
Platform
win7-20240221-en
Max time kernel
150s
Max time network
144s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\92e23cbe-8f02-4880-8f34-81f8068a8a59\\6BBF.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\6BBF.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Vidar
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6BBF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6BBF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6BBF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6BBF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\56E9.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6BBF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6BBF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6BBF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6BBF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6BBF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6BBF.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6BBF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6BBF.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\92e23cbe-8f02-4880-8f34-81f8068a8a59\\6BBF.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\6BBF.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 436 set thread context of 1428 | N/A | C:\Users\Admin\AppData\Local\Temp\6BBF.exe | C:\Users\Admin\AppData\Local\Temp\6BBF.exe |
| PID 2340 set thread context of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\6BBF.exe | C:\Users\Admin\AppData\Local\Temp\6BBF.exe |
| PID 2924 set thread context of 1772 | N/A | C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe | C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe |
| PID 2100 set thread context of 2768 | N/A | C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build3.exe | C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build3.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\56E9.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe
"C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\B6C1.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\6BBF.exe
C:\Users\Admin\AppData\Local\Temp\6BBF.exe
C:\Users\Admin\AppData\Local\Temp\6BBF.exe
C:\Users\Admin\AppData\Local\Temp\6BBF.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\92e23cbe-8f02-4880-8f34-81f8068a8a59" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\6BBF.exe
"C:\Users\Admin\AppData\Local\Temp\6BBF.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\6BBF.exe
"C:\Users\Admin\AppData\Local\Temp\6BBF.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
"C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe"
C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
"C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1400
C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build3.exe
"C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build3.exe"
C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build3.exe
"C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\56E9.exe
C:\Users\Admin\AppData\Local\Temp\56E9.exe
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5BCA.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 124
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| SA | 139.64.16.239:80 | sdfjhuz.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 188.114.96.2:443 | api.2ip.ua | tcp |
| US | 188.114.96.2:443 | api.2ip.ua | tcp |
| SA | 139.64.16.239:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| KR | 211.168.53.110:80 | sajdfue.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| KR | 211.168.53.110:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| DE | 49.12.116.63:80 | 49.12.116.63 | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 188.114.97.2:443 | valowaves.com | tcp |
Files
memory/2752-1-0x00000000002D0000-0x00000000003D0000-memory.dmp
memory/2752-2-0x00000000001B0000-0x00000000001BB000-memory.dmp
memory/2752-3-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2752-5-0x0000000000400000-0x0000000000474000-memory.dmp
memory/1328-4-0x0000000002740000-0x0000000002756000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B6C1.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\6BBF.exe
| MD5 | 109125669dc1ccce29f0c630d2d985eb |
| SHA1 | 2d1b211ff69b6d3ff178ee9716263631e8f39027 |
| SHA256 | 1718fb956c30c4a56490ecfc903ef34ed514ec13c1101d44ff4cf87095e5b064 |
| SHA512 | 92bbf2eb15f7083bf5b3d376e15289c5d5e027b38100ec7cf5db6f811fde1a8e21ef32c87b9dd5120c096fdfcb7307fe4987e5c92d81fbd2c2807bb076074ea9 |
memory/436-26-0x0000000000220000-0x00000000002B1000-memory.dmp
memory/1428-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/436-32-0x0000000001AB0000-0x0000000001BCB000-memory.dmp
memory/1428-33-0x0000000000400000-0x0000000000537000-memory.dmp
memory/436-29-0x0000000000220000-0x00000000002B1000-memory.dmp
memory/1428-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1428-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1428-58-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2340-60-0x0000000001D20000-0x0000000001DB1000-memory.dmp
memory/2340-62-0x0000000001D20000-0x0000000001DB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6BBF.exe
| MD5 | c4befa0e8d594ee8504d11bd95363f11 |
| SHA1 | 09ba7bdba681ddc0da76078786835b545fdf3b0c |
| SHA256 | 6f051d5499a5b2420e331d93c93cf65de64e4a82c74774d45945378ae83a792a |
| SHA512 | cd8f7da6acbfdc2a018c62c7f267287b97b79c0481bfb1f46f8c57f0757ac1503f51bb76729486428ee555b072f3718ecf41b0eeb4b6fd35ca8bc192e40fb35e |
memory/2148-68-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2148-69-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6ae53fb97098dffc754f32ef790ecda4 |
| SHA1 | a754c34c838ce509662e963b493c6446df313220 |
| SHA256 | a1e8264a1e90d706894871f0f061b1b75a88c8047d46014e346a0eece9e440b3 |
| SHA512 | 13618b7251c2f5b0340140e7b2e9e751ee1da746364b2e3299cfb8f176f0049d6893e1e3dddbefc1cd7734a86b6cc7b756cd61ef0d3f8790097a4fd6a3d1b9d6 |
C:\Users\Admin\AppData\Local\Temp\Cab7A8D.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | f2037fd5e8ca55fddbf1f170f115c8b0 |
| SHA1 | a1c1d017202d0d2ccf569f233d82ef2aae0f1ed8 |
| SHA256 | f61f3d7a11dcfb94bc2b982b262e22bb8327579ec965044be64a2ab3fefa0e19 |
| SHA512 | 74293572f43d0ee9d3d9ea7fbd6c28fbe3a15725a65a371e8bf4acb8e0d4c8b0d1ae0e4689c5f83758c2cdc013a1d7e975fb784dde54fd642e754aafea1a76f1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | ff795f8a318e910f78b1a6c3b93b52fc |
| SHA1 | 2f0e2cdc8b86b25f89cdbeea062b13f9aef4d918 |
| SHA256 | 13624cfe1e8f87157b1bd677159aebc1f38802b103c3a3f5646c90232dc06e7e |
| SHA512 | 9c3703fca9864380bd2dcba9f198b4f3456958a9d5f5689cbc33a9bf6156955d0afd0109ffd4dc1ed13bf806529f89624b78f88d30b422f4d2f6fad1e6dcf0cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 96c168d1da1dbb217ecdced801f1a709 |
| SHA1 | 2f3c322fb0b73562a9c68832b3e4def3fc174fd1 |
| SHA256 | f5a1ed2582a0b6b67eaf6445372ff3364fcb55c4be44b26e20f9607342eb9e64 |
| SHA512 | e52fd60ed89af169523888ba4843190de415cd1a9cf0f2f07dd19dd188aa0903efdf84e4c992b68e3e88ace8d7df3eb069849536616626bd73c6f8165fcaa6e5 |
memory/2148-82-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2148-83-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2148-87-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2148-89-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2148-90-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2148-91-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
| MD5 | 88c5ca503e8fecbca8ee889a892b165c |
| SHA1 | 2ec61a72dc88584abda48f19fb8e4d2847264aed |
| SHA256 | 41f6207540f5197717e1c601b43c9c89a5109ff3aab98fe80f6645f0ebd2a153 |
| SHA512 | 366035a481a439854094d13f8a0b9bf26e706dd43100421d92724baa1f9b1ceac74669e42e9331867a3c364f8e2f0c05d3387e5dea9d8669d29832614fa7b4b9 |
C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
| MD5 | dbb41c5a383b289ca00a4e76fde8422a |
| SHA1 | 2e1cb2560e4025b90f2a542fd18cfc0e496866a7 |
| SHA256 | 750a15992ff2cf95d476522cca5f3701b9345f253f1e99d3ae771bce7afe19a2 |
| SHA512 | bdebbcaeca416b2b98a2b307e7982dc893262489532d33caec4a6151a0d86a7b59bde6c46fbe9257e03e7cdb6bc027f1670dd15ed00f4a578c0343a98eb500aa |
C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
| MD5 | bcf4fd3bbde3f4a6c8ddb809176b19d2 |
| SHA1 | 19a54fb718ae99436c1606578e1ed5463bbeaa21 |
| SHA256 | e27ca368557ea5ea75e14b39cfcb87baccc4aae110a2a5e79b5f7e0cc8efad26 |
| SHA512 | 9d9121c0a3f4f5f7c13baaa21251359fa26cdd32ed12b38fbce02d9f79560357a794080a3c81c2382b790b9c0049df95549fe749aabb5377aa2da7c1e22d3a1e |
\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
| MD5 | bbbdc9a7e54f141ad10aba91e4bd7860 |
| SHA1 | ff3b57fffa6d1318617e4a54c2870e9127dc7cbe |
| SHA256 | 8cb3b6f4d27e943cbfd0169f81886c097e6599f6002474bc99170ddfddef61d9 |
| SHA512 | 90979b6e9c8764c3edf8271a969e2ed3ae6b8a8bbf3cd45e1d825897429bb21aa45f947f75d604dd252521a8d08dfd21b18f03608a3684c345857d33558efc7e |
memory/2924-109-0x0000000001BD0000-0x0000000001CD0000-memory.dmp
memory/1772-108-0x0000000000400000-0x0000000000644000-memory.dmp
memory/1772-106-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2924-110-0x0000000000230000-0x0000000000261000-memory.dmp
memory/1772-113-0x0000000000400000-0x0000000000644000-memory.dmp
memory/1772-114-0x0000000000400000-0x0000000000644000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarCD3F.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\TarD060.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
memory/1772-153-0x0000000000400000-0x0000000000644000-memory.dmp
memory/1772-160-0x0000000000400000-0x0000000000644000-memory.dmp
C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2148-171-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2768-176-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2100-179-0x00000000008D0000-0x00000000009D0000-memory.dmp
memory/2100-181-0x0000000000220000-0x0000000000224000-memory.dmp
memory/2768-180-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2768-184-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2768-185-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\56E9.exe
| MD5 | 9e52aa572f0afc888c098db4c0f687ff |
| SHA1 | ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b |
| SHA256 | 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443 |
| SHA512 | d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62 |
memory/2692-194-0x0000000000B10000-0x00000000017F5000-memory.dmp
memory/2692-208-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2692-211-0x0000000000B10000-0x00000000017F5000-memory.dmp
memory/2692-210-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2692-214-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2692-213-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2692-221-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2692-218-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2692-216-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2692-247-0x0000000000210000-0x0000000000211000-memory.dmp