Malware Analysis Report

2025-01-02 11:15

Sample ID 240313-an59wahb22
Target 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d
SHA256 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d
Tags
dcrat djvu smokeloader vidar 7462cf1e49890509e46ee7ab1b511527 pub1 backdoor discovery infostealer persistence ransomware rat stealer trojan lumma
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d

Threat Level: Known bad

The file 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d was found to be: Known bad.

Malicious Activity Summary

dcrat djvu smokeloader vidar 7462cf1e49890509e46ee7ab1b511527 pub1 backdoor discovery infostealer persistence ransomware rat stealer trojan lumma

DcRat

Detected Djvu ransomware

SmokeLoader

Lumma Stealer

Vidar

Detect Vidar Stealer

Djvu Ransomware

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Modifies file permissions

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Creates scheduled task(s)

Suspicious use of UnmapMainImage

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-13 00:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 00:22

Reported

2024-03-13 00:25

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d9d345e5-742b-4e2a-b72c-7f3ecb9eb526\\144D.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\144D.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d9d345e5-742b-4e2a-b72c-7f3ecb9eb526\\144D.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\144D.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 2540 N/A N/A C:\Windows\system32\cmd.exe
PID 1248 wrote to memory of 2540 N/A N/A C:\Windows\system32\cmd.exe
PID 1248 wrote to memory of 2540 N/A N/A C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2540 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2540 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1248 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 1248 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 1248 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 1248 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 2232 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 2232 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 2232 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 2232 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 2232 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 2232 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 2232 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 2232 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 2232 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 2232 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 2232 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 1596 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Windows\SysWOW64\icacls.exe
PID 1596 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Windows\SysWOW64\icacls.exe
PID 1596 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Windows\SysWOW64\icacls.exe
PID 1596 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Windows\SysWOW64\icacls.exe
PID 1596 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 1596 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 1596 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 1596 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 1796 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 1796 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 1796 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 1796 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 1796 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 1796 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 1796 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 1796 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 1796 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 1796 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 1796 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\Temp\144D.exe
PID 2768 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe
PID 2768 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe
PID 2768 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe
PID 2768 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe
PID 360 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe
PID 360 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe
PID 360 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe
PID 360 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe
PID 360 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe
PID 360 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe
PID 360 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe
PID 360 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe
PID 360 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe
PID 360 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe
PID 360 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe
PID 1864 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1864 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1864 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1864 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2768 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe
PID 2768 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe
PID 2768 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe
PID 2768 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\144D.exe C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe
PID 2516 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe

"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\A3AF.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\144D.exe

C:\Users\Admin\AppData\Local\Temp\144D.exe

C:\Users\Admin\AppData\Local\Temp\144D.exe

C:\Users\Admin\AppData\Local\Temp\144D.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\d9d345e5-742b-4e2a-b72c-7f3ecb9eb526" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\144D.exe

"C:\Users\Admin\AppData\Local\Temp\144D.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\144D.exe

"C:\Users\Admin\AppData\Local\Temp\144D.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe

"C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe"

C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe

"C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 1420

C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe

"C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe"

C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe

"C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {E7A2A9B4-5FD5-4B12-9B20-BF3E392B84C9} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\512.exe

C:\Users\Admin\AppData\Local\Temp\512.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 124

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\2040.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\42CE.exe

C:\Users\Admin\AppData\Local\Temp\42CE.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
KR 123.213.233.131:80 sdfjhuz.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
KR 123.213.233.131:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
AR 190.220.21.28:80 sajdfue.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
AR 190.220.21.28:80 sajdfue.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 steamcommunity.com udp
RU 31.41.44.192:80 trad-einmyus.com tcp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 5.75.221.28:80 5.75.221.28 tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 172.67.192.62:443 valowaves.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 hadogarden.com udp
VN 103.216.113.30:443 hadogarden.com tcp
VN 103.216.113.30:443 hadogarden.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
RU 31.41.44.192:80 trad-einmyus.com tcp

Files

memory/1704-3-0x0000000000400000-0x0000000000474000-memory.dmp

memory/1704-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1704-1-0x0000000000630000-0x0000000000730000-memory.dmp

memory/1248-4-0x0000000002DA0000-0x0000000002DB6000-memory.dmp

memory/1704-5-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A3AF.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\144D.exe

MD5 109125669dc1ccce29f0c630d2d985eb
SHA1 2d1b211ff69b6d3ff178ee9716263631e8f39027
SHA256 1718fb956c30c4a56490ecfc903ef34ed514ec13c1101d44ff4cf87095e5b064
SHA512 92bbf2eb15f7083bf5b3d376e15289c5d5e027b38100ec7cf5db6f811fde1a8e21ef32c87b9dd5120c096fdfcb7307fe4987e5c92d81fbd2c2807bb076074ea9

memory/2232-26-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/2232-30-0x0000000001AB0000-0x0000000001BCB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\144D.exe

MD5 7bccb641f42dec236be4c60ef68881a9
SHA1 ce5fcf17eb701acc7d96197e07d4bd302fae3a26
SHA256 39850189a6997c495f5509d4849d05cd91b459d7f6c877f9be93a005e8b9cb21
SHA512 7d39efd12815633a992ac64afbff79125e645970d6c7aa1f9f94f0bea777a89409916c52d84d453a39a82787b44d4543be73faf4b78842134f5eebdd95eaca39

memory/1596-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2232-27-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/1596-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2232-36-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/1596-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1596-38-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\144D.exe

MD5 760f31189cbe24163385801f66b94be7
SHA1 c60804817aca0cd94d1f0a2426c6c972fb8e405b
SHA256 66c2ea73ef157f0f7cd558d13c604c5656e6af5a8fb9c2f436019cd08a7ce56d
SHA512 52d2e9196b848a7d5f51c50d844a862bea159638df330bd6b81498e99cdd17f1ce6024ba411146f3a07a485dafb9e9872bfaee714595eb5f69e7519a64fa65b9

\Users\Admin\AppData\Local\Temp\144D.exe

MD5 d204d78acc5a68472862c384018dd1a3
SHA1 5c91a06e04474e91f0a21d9d609d365f83990b03
SHA256 531d078ecb17cb4e48ce6927034f46848dcc9ed807df82b6a44941662fd4ec63
SHA512 4187092e3127b5523ad66e56f25df9247839c1006fa9da063ee04a6bc11a0cb9a8edc764096fb47135cabe64259752a5abc9eba75eed1acf8ef95b8b1d452b6e

C:\Users\Admin\AppData\Local\Temp\144D.exe

MD5 22761e10064393568fe7040fe4cf30a0
SHA1 55bc964c2dfce23f105251366b6717333bf3502a
SHA256 2a144d6efb11881d8d1b560cd4a611cd46c1207dbc07c431e94eecc6f5cb345e
SHA512 92f3d0b258cadc9d9d9a28a5ab4ddd10b7958d980c27414c9f2e794d8b9757bd41825d1c13adbee635a307c0667fe15443e5b886daa567711013300dfb206e56

memory/1596-61-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1796-63-0x0000000000350000-0x00000000003E1000-memory.dmp

memory/1796-64-0x0000000000350000-0x00000000003E1000-memory.dmp

memory/2768-71-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2768-72-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 f50551b45d9d598517bfdabd1ac6f4a7
SHA1 5d13575398c30631c7a2df81721253ea967905a2
SHA256 4bbfd12ee83102d09887a94122ea1f33fb9730a95dbc2617ba5116539d172134
SHA512 9e803763076a28c6de34baf1d4c4d1dc9c78bd9a724ab5e2eb72f4e61171aa838e70b3a16b600e8c5a9afdd608af839efd8e6a2a23024b5358ddc9c2f4f52349

C:\Users\Admin\AppData\Local\Temp\Cab20D9.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 924b3a794d280b281518067400a90bf4
SHA1 e363cfe3cfdcb4ac46fc9c6505b9ac7cb006a356
SHA256 312c1a09e0e51152b4b35fbe491ce448b1f712b1fbdfa688e00bc956c97af172
SHA512 414e7e3f1c0471c19243919660c462fb558b096db1f82ba3590349329cb05109ee93a04677c37392acb09b49740cd34cff12a88f610ba4766f0ee0a453dbfc33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a76a4d2836ddebbb5640efb5ffaa566b
SHA1 0e0a9a04a0b2fa6680a29bfeccdc029fe81bdbe7
SHA256 315d52f0713aa99da7c66fa92ef2599d542c068367661a42718c6b90df7a02ac
SHA512 4033d1a248c418e45dd2708582f32eda17d99724c4c956b6533eda52365453f64102ca3140d1d2e11d87e22e2d10e46c3385cddbec3a20d0c4547fc143139314

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 80ea19369e68296f697809d129fc6aab
SHA1 83ed21c4c290249519e69d94575218b7768b49f8
SHA256 508a813b6655edba28f072a5074a65c576ad11ee3e3573f1c78060598fa989b6
SHA512 1848a66176dd46d5873587105b6248355ef718fd6a7439e225816d142b2dfe5375f373ec7ba34f89435327deda3b46bab90080b84104d6706aedae821b1fc1fa

memory/2768-88-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2768-87-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2768-92-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2768-95-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2768-94-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2768-96-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe

MD5 88c5ca503e8fecbca8ee889a892b165c
SHA1 2ec61a72dc88584abda48f19fb8e4d2847264aed
SHA256 41f6207540f5197717e1c601b43c9c89a5109ff3aab98fe80f6645f0ebd2a153
SHA512 366035a481a439854094d13f8a0b9bf26e706dd43100421d92724baa1f9b1ceac74669e42e9331867a3c364f8e2f0c05d3387e5dea9d8669d29832614fa7b4b9

memory/1864-111-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/360-109-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1864-117-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1864-118-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1864-114-0x0000000000400000-0x0000000000644000-memory.dmp

memory/360-113-0x00000000001C0000-0x00000000001F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar4635.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar484D.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2768-186-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1864-189-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2516-192-0x00000000009B0000-0x0000000000AB0000-memory.dmp

memory/2516-193-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2008-191-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2008-200-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2008-198-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2008-195-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2716-211-0x0000000000980000-0x0000000000A80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\512.exe

MD5 6c83f9fc17558984ab87be3f05b9ef62
SHA1 2c749a818af63849d0938d4bd4c27d471fa3fa49
SHA256 cf1ea19b06e59407c08a3af74606373e3a7dc100ba07d38b779eb79778c7f95d
SHA512 c0402f05a67e61f98bcb4a4c5b8167cea78657eef2ff5928f43ada39d00c976d6c6d72d13d4da1cab7d824cedf3d6a0dfe5bcddb7ab2ef22ec58e62387001821

memory/2296-228-0x0000000000220000-0x0000000000F05000-memory.dmp

memory/2296-233-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2296-235-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2296-237-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2296-248-0x0000000000220000-0x0000000000F05000-memory.dmp

\Users\Admin\AppData\Local\Temp\512.exe

MD5 36ef38dd8880a7db85af5845523a772f
SHA1 90c671006c30908b7be19ed4f55142e2ea99ed78
SHA256 2cb72689d9174422da75e24d4aa2d7fb7407b6172d9a316fe38e97c13685cf56
SHA512 3d582c991f2cf17e377efe092e8da24bad383357fb95d801659dfdc7f3c3cbf1a5cad9eb9fc7e6f52f68902b4b6dc57602826452476213a4769b73e7e99ba817

\Users\Admin\AppData\Local\Temp\512.exe

MD5 42ece680975299ddbda787b4ae695996
SHA1 82a6bac93db2bd144e81ce678275644fe9c10a17
SHA256 cc6dd3c146ce1a9919a34570e1c3bb19e85d6d95d1131835c647c17ebc974eab
SHA512 dfafaa0dfa1d47c1fe3eb2283fb5a27c6df2a27871259830e8b8748d126a0c64f706e647e5b0ebe091d843e9278625a04a07f270f2ede0cccc40f5db1de91f7b

\Users\Admin\AppData\Local\Temp\512.exe

MD5 18814a4748efd9b1ab3ebd24f6bc44c1
SHA1 a3424d33503dd6089f13f1ebdb656929cb80fbe1
SHA256 1faca15afff96249d8048df8ead75f804f09da24d38821ec84a94ac346fe5b02
SHA512 238343f4d4dfceeaafaa6d9a89485cead0d13108fc4a77cdd3710436d77518e0970b0f1f974817c750e9a602b83705575620399bc6e5ca1cd8bc206d63664a1b

memory/2296-265-0x0000000000190000-0x0000000000191000-memory.dmp

\Users\Admin\AppData\Local\Temp\42CE.exe

MD5 cc027a9db129924f2940cce65a3a71e0
SHA1 b0e64d66c9aec2e0de0f7726f6179c8bd2602896
SHA256 3413c39a8123480dc468ee36bfb924b832138c54b4731f90a9c214f6ecde28e1
SHA512 f9a06d43f091b740e8c970ebd8f3a57ad35baba6f4e0f6d683072e0ecdbd80751be076fbe3c2af41169658bf15504435ba40ed5e798dbb9a3e7471478692a39a

C:\Users\Admin\AppData\Local\Temp\42CE.exe

MD5 86c6d381bc0a62b581b01775c8c3f060
SHA1 202986670f03d0c0df5b7306c6d93271d3639951
SHA256 4c00b8de0a3475cd7475e40f7cfed94a0e475226483a4277835a67363e401cb2
SHA512 dc61a428d388b7392c2b242cd50623096d3b7d04f7b65c0c88c25b5d48e3ddb85fe94ff5eb566654bcbed8e6b4b111c1e3341436383268fbd6df31fdd19e6a16

memory/2296-294-0x0000000000220000-0x0000000000F05000-memory.dmp

memory/1236-300-0x0000000000960000-0x0000000000A60000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 00:22

Reported

2024-03-13 00:25

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DEC8.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5c6d438c-3342-45f2-a815-c18343a64107\\DEC8.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\DEC8.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2956 set thread context of 5052 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 872 set thread context of 5080 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3368 wrote to memory of 540 N/A N/A C:\Windows\system32\cmd.exe
PID 3368 wrote to memory of 540 N/A N/A C:\Windows\system32\cmd.exe
PID 540 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 540 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3368 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 3368 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 3368 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 2956 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 2956 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 2956 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 2956 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 2956 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 2956 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 2956 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 2956 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 2956 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 2956 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 5052 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Windows\SysWOW64\icacls.exe
PID 5052 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Windows\SysWOW64\icacls.exe
PID 5052 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Windows\SysWOW64\icacls.exe
PID 5052 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 5052 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 5052 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 872 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 872 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 872 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 872 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 872 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 872 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 872 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 872 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 872 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 872 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 3368 wrote to memory of 2688 N/A N/A C:\Users\Admin\AppData\Local\Temp\FAB9.exe
PID 3368 wrote to memory of 2688 N/A N/A C:\Users\Admin\AppData\Local\Temp\FAB9.exe
PID 3368 wrote to memory of 2688 N/A N/A C:\Users\Admin\AppData\Local\Temp\FAB9.exe
PID 3368 wrote to memory of 1524 N/A N/A C:\Windows\system32\cmd.exe
PID 3368 wrote to memory of 1524 N/A N/A C:\Windows\system32\cmd.exe
PID 1524 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1524 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3368 wrote to memory of 1848 N/A N/A C:\Users\Admin\AppData\Local\Temp\2073.exe
PID 3368 wrote to memory of 1848 N/A N/A C:\Users\Admin\AppData\Local\Temp\2073.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe

"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A7D9.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\DEC8.exe

C:\Users\Admin\AppData\Local\Temp\DEC8.exe

C:\Users\Admin\AppData\Local\Temp\DEC8.exe

C:\Users\Admin\AppData\Local\Temp\DEC8.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\5c6d438c-3342-45f2-a815-c18343a64107" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\DEC8.exe

"C:\Users\Admin\AppData\Local\Temp\DEC8.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\DEC8.exe

"C:\Users\Admin\AppData\Local\Temp\DEC8.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5080 -ip 5080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 568

C:\Users\Admin\AppData\Local\Temp\FAB9.exe

C:\Users\Admin\AppData\Local\Temp\FAB9.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3D2.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2073.exe

C:\Users\Admin\AppData\Local\Temp\2073.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 192.44.41.31.in-addr.arpa udp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
KR 220.125.3.190:80 sdfjhuz.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 190.3.125.220.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 associationokeo.shop udp
US 8.8.8.8:53 valowaves.com udp
US 172.67.147.18:443 associationokeo.shop tcp
US 172.67.192.62:443 valowaves.com tcp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 62.192.67.172.in-addr.arpa udp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 hadogarden.com udp
VN 103.216.113.30:443 hadogarden.com tcp
US 8.8.8.8:53 30.113.216.103.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp

Files

memory/4848-1-0x0000000000790000-0x0000000000890000-memory.dmp

memory/4848-2-0x00000000001F0000-0x00000000001FB000-memory.dmp

memory/4848-3-0x0000000000400000-0x0000000000474000-memory.dmp

memory/4848-5-0x0000000000400000-0x0000000000474000-memory.dmp

memory/3368-4-0x0000000002EA0000-0x0000000002EB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A7D9.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\DEC8.exe

MD5 109125669dc1ccce29f0c630d2d985eb
SHA1 2d1b211ff69b6d3ff178ee9716263631e8f39027
SHA256 1718fb956c30c4a56490ecfc903ef34ed514ec13c1101d44ff4cf87095e5b064
SHA512 92bbf2eb15f7083bf5b3d376e15289c5d5e027b38100ec7cf5db6f811fde1a8e21ef32c87b9dd5120c096fdfcb7307fe4987e5c92d81fbd2c2807bb076074ea9

memory/2956-20-0x00000000036C0000-0x000000000375C000-memory.dmp

memory/2956-21-0x0000000003760000-0x000000000387B000-memory.dmp

memory/5052-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5052-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5052-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5052-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5052-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/872-41-0x0000000003610000-0x00000000036A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DEC8.exe

MD5 244dbd048a2fb166e746205c9bfbac77
SHA1 92e01503612aa133c283bf15a3c2fdc453cebd92
SHA256 b8e197eadabfd234dd34e8dae65bebad5a1e3ccef5f753efe2541b1da6da0dc5
SHA512 4c4b25bfc733428e8ee1d4bb0b482017f36c0e887b4d0c2106175aa3f5289f13c820cc3f5752d9a5cac275ae5d7b72b54e231bb7ac6542edd812d37902983fd2

memory/5080-44-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5080-47-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5080-45-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FAB9.exe

MD5 9e52aa572f0afc888c098db4c0f687ff
SHA1 ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA256 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512 d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

memory/2688-54-0x00000000003C0000-0x00000000010A5000-memory.dmp

memory/2688-59-0x0000000001510000-0x0000000001511000-memory.dmp

memory/2688-61-0x0000000001560000-0x0000000001561000-memory.dmp

memory/2688-60-0x0000000001530000-0x0000000001531000-memory.dmp

memory/2688-62-0x0000000003010000-0x0000000003011000-memory.dmp

memory/2688-63-0x0000000003020000-0x0000000003021000-memory.dmp

memory/2688-65-0x0000000003030000-0x0000000003031000-memory.dmp

memory/2688-64-0x00000000003C0000-0x00000000010A5000-memory.dmp

memory/2688-67-0x0000000003040000-0x0000000003072000-memory.dmp

memory/2688-68-0x0000000003040000-0x0000000003072000-memory.dmp

memory/2688-69-0x0000000003040000-0x0000000003072000-memory.dmp

memory/2688-70-0x0000000003040000-0x0000000003072000-memory.dmp

memory/2688-71-0x0000000003040000-0x0000000003072000-memory.dmp

memory/2688-76-0x00000000003C0000-0x00000000010A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2073.exe

MD5 b7d9070ad945885744bfab73d3205b04
SHA1 68029faf9bbf516933c498b776ecccbbded63965
SHA256 74df54029654c0b953c8654b6810368a7556d9a6b78ae049f6471849fb9a00f9
SHA512 aaa1b27eea29f2fb7decb1d2eb37b98c7731a233726d0d77c8e1bb7c20ce2c3f1954c1d32a062f8c1864c5153650c522123d05bf260769988a0fb20d73f5a49a

C:\Users\Admin\AppData\Local\Temp\2073.exe

MD5 450039a02217c53bd983eaf1fd34505a
SHA1 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda
SHA256 d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0
SHA512 cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080

memory/1848-81-0x00007FF7EBB60000-0x00007FF7EC7C2000-memory.dmp

memory/1848-82-0x00007FF7EBB60000-0x00007FF7EC7C2000-memory.dmp