Analysis Overview
SHA256
a43cb60342d45b1af2956ac3fdee2c53b6c422019c3b9d4364e4fd206d5ea4ef
Threat Level: Known bad
The file a43cb60342d45b1af2956ac3fdee2c53b6c422019c3b9d4364e4fd206d5ea4ef was found to be: Known bad.
Malicious Activity Summary
Amadey
DcRat
SmokeLoader
UAC bypass
Lumma Stealer
ZGRat
Detect Vidar Stealer
Detect ZGRat V1
Vidar
Djvu Ransomware
Stealc
Detected Djvu ransomware
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Blocklisted process makes network request
Downloads MZ/PE file
Checks computer location settings
Deletes itself
Loads dropped DLL
Identifies Wine through registry keys
Reads WinSCP keys stored on the system
Modifies file permissions
Checks BIOS information in registry
Uses the VBS compiler for execution
Reads local data of messenger clients
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Creates scheduled task(s)
Runs regedit.exe
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious use of UnmapMainImage
Modifies registry class
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
System policy modification
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-13 01:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-13 01:15
Reported
2024-03-13 01:18
Platform
win7-20240221-en
Max time kernel
151s
Max time network
168s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a43cb60342d45b1af2956ac3fdee2c53b6c422019c3b9d4364e4fd206d5ea4ef.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8ef93ab1-0144-43f2-a953-8b3ccdba8c6c\\FA67.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\FA67.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\3BBE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\487B.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\3BBE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\487B.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\487B.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\3BBE.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\3BBE.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\487B.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8ef93ab1-0144-43f2-a953-8b3ccdba8c6c\\FA67.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\FA67.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" | C:\Users\Admin\AppData\Local\Temp\598D.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3BBE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\487B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\3BBE.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a43cb60342d45b1af2956ac3fdee2c53b6c422019c3b9d4364e4fd206d5ea4ef.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a43cb60342d45b1af2956ac3fdee2c53b6c422019c3b9d4364e4fd206d5ea4ef.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a43cb60342d45b1af2956ac3fdee2c53b6c422019c3b9d4364e4fd206d5ea4ef.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a43cb60342d45b1af2956ac3fdee2c53b6c422019c3b9d4364e4fd206d5ea4ef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a43cb60342d45b1af2956ac3fdee2c53b6c422019c3b9d4364e4fd206d5ea4ef.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a43cb60342d45b1af2956ac3fdee2c53b6c422019c3b9d4364e4fd206d5ea4ef.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\598D.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000837001\goldqwer12.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3BBE.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a43cb60342d45b1af2956ac3fdee2c53b6c422019c3b9d4364e4fd206d5ea4ef.exe
"C:\Users\Admin\AppData\Local\Temp\a43cb60342d45b1af2956ac3fdee2c53b6c422019c3b9d4364e4fd206d5ea4ef.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\D643.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\FA67.exe
C:\Users\Admin\AppData\Local\Temp\FA67.exe
C:\Users\Admin\AppData\Local\Temp\FA67.exe
C:\Users\Admin\AppData\Local\Temp\FA67.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\8ef93ab1-0144-43f2-a953-8b3ccdba8c6c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\FA67.exe
"C:\Users\Admin\AppData\Local\Temp\FA67.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\FA67.exe
"C:\Users\Admin\AppData\Local\Temp\FA67.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\6566f56c-dae7-4f46-9120-ad6b687d6dbf\build2.exe
"C:\Users\Admin\AppData\Local\6566f56c-dae7-4f46-9120-ad6b687d6dbf\build2.exe"
C:\Users\Admin\AppData\Local\6566f56c-dae7-4f46-9120-ad6b687d6dbf\build2.exe
"C:\Users\Admin\AppData\Local\6566f56c-dae7-4f46-9120-ad6b687d6dbf\build2.exe"
C:\Users\Admin\AppData\Local\6566f56c-dae7-4f46-9120-ad6b687d6dbf\build3.exe
"C:\Users\Admin\AppData\Local\6566f56c-dae7-4f46-9120-ad6b687d6dbf\build3.exe"
C:\Users\Admin\AppData\Local\6566f56c-dae7-4f46-9120-ad6b687d6dbf\build3.exe
"C:\Users\Admin\AppData\Local\6566f56c-dae7-4f46-9120-ad6b687d6dbf\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 1420
C:\Windows\system32\taskeng.exe
taskeng.exe {EC833B5C-4BE4-4B84-896A-32BC0D5E0C09} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\E217.exe
C:\Users\Admin\AppData\Local\Temp\E217.exe
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\E64D.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 124
C:\Users\Admin\AppData\Local\Temp\F7F.exe
C:\Users\Admin\AppData\Local\Temp\F7F.exe
C:\Users\Admin\AppData\Local\Temp\3BBE.exe
C:\Users\Admin\AppData\Local\Temp\3BBE.exe
C:\Users\Admin\AppData\Local\Temp\487B.exe
C:\Users\Admin\AppData\Local\Temp\487B.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
"C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"
C:\Users\Admin\AppData\Local\Temp\598D.exe
C:\Users\Admin\AppData\Local\Temp\598D.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6596.tmp.bat""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe
"C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 260
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Windows\System32\svchost.exe
"C:\Windows\System32\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\1000837001\goldqwer12.exe
"C:\Users\Admin\AppData\Local\Temp\1000837001\goldqwer12.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\Windows Mail\wab.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\787592910372_Desktop.zip' -CompressionLevel Optimal
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\B4E6.exe
C:\Users\Admin\AppData\Local\Temp\B4E6.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| MX | 187.199.153.167:80 | sdfjhuz.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| MX | 187.199.153.167:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| KR | 211.202.224.10:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| KR | 211.202.224.10:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| DE | 5.75.221.28:80 | 5.75.221.28 | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 104.21.51.243:443 | valowaves.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | hadogarden.com | udp |
| VN | 103.216.113.30:443 | hadogarden.com | tcp |
| VN | 103.216.113.30:443 | hadogarden.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | udp |
| US | 209.141.39.59:443 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| NL | 142.250.179.142:443 | drive.google.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| NL | 195.20.16.82:443 | tcp | |
| NL | 195.20.16.82:443 | tcp | |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | demo.nessotechbd.com | udp |
| US | 192.185.16.114:443 | demo.nessotechbd.com | tcp |
| US | 192.185.16.114:443 | demo.nessotechbd.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | streamingplay.site | udp |
| BR | 45.152.46.72:443 | streamingplay.site | tcp |
| BR | 45.152.46.72:443 | streamingplay.site | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 185.215.113.45:80 | 185.215.113.45 | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | www.upload.ee | udp |
| FR | 51.91.30.159:443 | www.upload.ee | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | tmpfiles.org | udp |
| US | 104.21.21.16:443 | tmpfiles.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valostar.org | udp |
| US | 172.67.183.89:443 | valostar.org | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| NL | 195.20.16.82:443 | tcp | |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| NL | 195.20.16.82:443 | tcp | |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | www.callmanpro.com | udp |
| AR | 200.58.108.2:80 | www.callmanpro.com | tcp |
| US | 8.8.8.8:53 | artemis-rat.com | udp |
| US | 104.21.54.158:443 | artemis-rat.com | tcp |
| US | 104.21.54.158:443 | artemis-rat.com | tcp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| DE | 20.218.68.91:7690 | tcp | |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
Files
memory/848-1-0x00000000008E0000-0x00000000009E0000-memory.dmp
memory/848-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/848-3-0x0000000000400000-0x0000000000474000-memory.dmp
memory/848-5-0x0000000000400000-0x0000000000474000-memory.dmp
memory/1208-4-0x0000000002A00000-0x0000000002A16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D643.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\FA67.exe
| MD5 | 109125669dc1ccce29f0c630d2d985eb |
| SHA1 | 2d1b211ff69b6d3ff178ee9716263631e8f39027 |
| SHA256 | 1718fb956c30c4a56490ecfc903ef34ed514ec13c1101d44ff4cf87095e5b064 |
| SHA512 | 92bbf2eb15f7083bf5b3d376e15289c5d5e027b38100ec7cf5db6f811fde1a8e21ef32c87b9dd5120c096fdfcb7307fe4987e5c92d81fbd2c2807bb076074ea9 |
memory/2708-26-0x0000000000220000-0x00000000002B1000-memory.dmp
memory/2708-27-0x0000000000220000-0x00000000002B1000-memory.dmp
memory/2708-28-0x0000000001AB0000-0x0000000001BCB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FA67.exe
| MD5 | a9b4302a43c5974bf4c029e90a250feb |
| SHA1 | 2c77d8293bdcd05ce5d7b92a2eee77b4bf39d9d0 |
| SHA256 | eb7c32b1ea9025a26a39ac7029e4cce380635b47f27ecd0a745c8c0e3ffd176c |
| SHA512 | ae3d42ae32ca97de5595b685a4c1d9458d381ae1ae417477ec042af0cbc3bf7e7d7aebc7a22c247f14da3f188958b032cb9357d28f226cd815cb3f0b7cd400e8 |
\Users\Admin\AppData\Local\Temp\FA67.exe
| MD5 | 6cae8753d044e900c8daba5c6c3d4e92 |
| SHA1 | 043894ccbe16685fee152bf8806752d872133d14 |
| SHA256 | f3c4f3800c11cf39346a6bc6875e982cfd6e2c75eb9f712ec263b44333a29fcc |
| SHA512 | ff67476fb0196b23532171395eef61a703e7e6831e3b4d6d8b997872f3d6dfbbd34c635cb81acecdf504a07951a67980fe856dd5e1a8ae7f078118297a26175d |
memory/2448-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2448-33-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2708-36-0x0000000000220000-0x00000000002B1000-memory.dmp
memory/2448-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2448-38-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2448-61-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1680-63-0x0000000001AB0000-0x0000000001B41000-memory.dmp
memory/1680-64-0x0000000001AB0000-0x0000000001B41000-memory.dmp
memory/2616-71-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2616-72-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | a76a4d2836ddebbb5640efb5ffaa566b |
| SHA1 | 0e0a9a04a0b2fa6680a29bfeccdc029fe81bdbe7 |
| SHA256 | 315d52f0713aa99da7c66fa92ef2599d542c068367661a42718c6b90df7a02ac |
| SHA512 | 4033d1a248c418e45dd2708582f32eda17d99724c4c956b6533eda52365453f64102ca3140d1d2e11d87e22e2d10e46c3385cddbec3a20d0c4547fc143139314 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 8afb8b105b41057dc9c246a9cb8ddabd |
| SHA1 | be79514c70a34a25394cb15401551d60300b492a |
| SHA256 | b7863ac33e8c590fae59c7233f10eba3b19d7042292258d2256cf0140bd1d3b0 |
| SHA512 | ccbab96a71c9858fec1be983aaf518c21a13469225d2b7b6e8b0d4da12670228a727ac13acca4a5c25aeb6c1f7ffd07d34e56a0292956c939bc5425500a32b45 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 89b88ef83bd8d23382bc12477a9d8e4d |
| SHA1 | 94a7d13fe641ca580bbf22280b6d2afa58719eb2 |
| SHA256 | 1303c7fe5b0f08f08080cb0930220d63559526a42d42250b167e3d4b094de0c4 |
| SHA512 | d29c2514a5b5c6766509423cc8886d6e9fd613c271b4396838be6f24362e0e8ede7abc0008dc3a8b8ca37b9fc45491663a01275d2f28467fa4bb9759ea4f9435 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8ac9b4ecd499a093fdca34ab27736040 |
| SHA1 | 82d69ac2722387ebd484a61945133e2cd0bc3694 |
| SHA256 | cb8679c11522fa8eb05801a04bc11105a82a801083b3b4914c0c0d357dd262e8 |
| SHA512 | aeaa933cbaa026694511e24641f263591ce3fb36e3668f709df076587becf5ac5254b6494ba78a30b7dd85d33e420446ff718a2b75ae6be341b8f9ee2a9c18b5 |
C:\Users\Admin\AppData\Local\Temp\CabA2E.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/2616-87-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2616-88-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2616-92-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2616-94-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2616-95-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2616-96-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\6566f56c-dae7-4f46-9120-ad6b687d6dbf\build2.exe
| MD5 | 88c5ca503e8fecbca8ee889a892b165c |
| SHA1 | 2ec61a72dc88584abda48f19fb8e4d2847264aed |
| SHA256 | 41f6207540f5197717e1c601b43c9c89a5109ff3aab98fe80f6645f0ebd2a153 |
| SHA512 | 366035a481a439854094d13f8a0b9bf26e706dd43100421d92724baa1f9b1ceac74669e42e9331867a3c364f8e2f0c05d3387e5dea9d8669d29832614fa7b4b9 |
memory/2264-111-0x0000000001B00000-0x0000000001C00000-memory.dmp
memory/1684-110-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2264-113-0x0000000000230000-0x0000000000261000-memory.dmp
memory/1684-114-0x0000000000400000-0x0000000000644000-memory.dmp
memory/1684-117-0x0000000000400000-0x0000000000644000-memory.dmp
memory/1684-118-0x0000000000400000-0x0000000000644000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar2905.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
\Users\Admin\AppData\Local\6566f56c-dae7-4f46-9120-ad6b687d6dbf\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2616-136-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar3395.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
memory/2824-173-0x00000000008F0000-0x00000000009F0000-memory.dmp
memory/2824-175-0x0000000000220000-0x0000000000224000-memory.dmp
memory/2836-176-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2836-172-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2836-179-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2836-181-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1684-187-0x0000000000400000-0x0000000000644000-memory.dmp
memory/2532-201-0x00000000002F0000-0x00000000003F0000-memory.dmp
memory/2744-204-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E217.exe
| MD5 | 9e52aa572f0afc888c098db4c0f687ff |
| SHA1 | ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b |
| SHA256 | 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443 |
| SHA512 | d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62 |
memory/2548-211-0x0000000000A50000-0x0000000001735000-memory.dmp
memory/2548-225-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2548-227-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2548-228-0x0000000000A50000-0x0000000001735000-memory.dmp
memory/2548-230-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2548-231-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2548-233-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2548-257-0x00000000001A0000-0x00000000001A1000-memory.dmp
\Users\Admin\AppData\Local\Temp\F7F.exe
| MD5 | 450039a02217c53bd983eaf1fd34505a |
| SHA1 | 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda |
| SHA256 | d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0 |
| SHA512 | cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080 |
C:\Users\Admin\AppData\Local\Temp\3BBE.exe
| MD5 | 846a7a2c60b3d138e8c7501b2116fcd4 |
| SHA1 | 6c0e5e31663501a0aee6a49ab4cd99029b5fb09d |
| SHA256 | 1b5c7c3c9ef8d1684a74d2df48767ebde98ee87ddcf77762673eba1463f94e43 |
| SHA512 | 63f8f0e48774ea97126ad7af63cf8894532e062be19aaf985680bb8b0c78898ed7112874ebc6bf8b0e6aed1fa7590f93cb54b52eb111db703e8ed009d83fa77e |
C:\Users\Admin\AppData\Local\Temp\3BBE.exe
| MD5 | 82298f8a1c556e46420b1535bd9583c7 |
| SHA1 | dfe5e440103e4c8dd6b85e12131c1fffac0ff2ed |
| SHA256 | b78bb6a413b26cce2b0884b1a5f9415605cdd64c7904a28eef0dfab23a39f34e |
| SHA512 | 7e8b615d92868f1b4045ad7d00f76e47ef177986d44b208e515a7db08bbc16c0626d96499330323886998448300ac316c20adf6b8bd8f3d9514fd0428ecdb3c2 |
memory/2548-281-0x0000000000A50000-0x0000000001735000-memory.dmp
memory/2900-282-0x0000000000900000-0x0000000000DCF000-memory.dmp
memory/2900-285-0x00000000777E0000-0x00000000777E2000-memory.dmp
memory/2900-286-0x0000000000900000-0x0000000000DCF000-memory.dmp
memory/2900-288-0x00000000027F0000-0x00000000027F1000-memory.dmp
memory/2900-293-0x0000000002780000-0x0000000002781000-memory.dmp
memory/2900-292-0x00000000008B0000-0x00000000008B1000-memory.dmp
memory/2900-291-0x0000000000840000-0x0000000000841000-memory.dmp
memory/2900-298-0x00000000005A0000-0x00000000005A1000-memory.dmp
memory/2900-297-0x0000000000850000-0x0000000000851000-memory.dmp
memory/2900-296-0x0000000000830000-0x0000000000831000-memory.dmp
memory/2900-295-0x0000000002920000-0x0000000002921000-memory.dmp
memory/2900-294-0x00000000024A0000-0x00000000024A1000-memory.dmp
memory/2900-290-0x0000000002930000-0x0000000002931000-memory.dmp
memory/2900-289-0x0000000002770000-0x0000000002771000-memory.dmp
memory/2900-287-0x0000000002790000-0x0000000002791000-memory.dmp
memory/2900-299-0x0000000000860000-0x0000000000861000-memory.dmp
memory/2900-300-0x0000000002A80000-0x0000000002A81000-memory.dmp
memory/2900-302-0x00000000005B0000-0x00000000005B1000-memory.dmp
memory/2900-303-0x0000000002B50000-0x0000000002B51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3BBE.exe
| MD5 | 57798e09934aac7c018f1c7ca12448f3 |
| SHA1 | 017f9d4b28e45b2af211e61f0e15cc485167d641 |
| SHA256 | 326d782811b4558eed5defa4bd737cfd7ed72ea42e2049e0acef346cc397e433 |
| SHA512 | 2f91427fe6fc20614a66941833623f3e7cd33d82dd77705bc665d2eeb8dd228aaa70ca6ca885aba6ba1772ef1ee894107d4f6385894c747a3fd8ebf743bd0858 |
memory/2900-309-0x0000000000900000-0x0000000000DCF000-memory.dmp
memory/1584-316-0x0000000001040000-0x000000000150F000-memory.dmp
memory/1584-317-0x0000000001040000-0x000000000150F000-memory.dmp
memory/1584-318-0x0000000000EF0000-0x0000000000EF2000-memory.dmp
memory/1584-319-0x0000000000F10000-0x0000000000F11000-memory.dmp
memory/1584-320-0x0000000000CE0000-0x0000000000CE1000-memory.dmp
memory/1584-321-0x0000000002920000-0x0000000002921000-memory.dmp
memory/1584-322-0x00000000008D0000-0x00000000008D1000-memory.dmp
memory/1584-323-0x0000000000990000-0x0000000000991000-memory.dmp
memory/1584-324-0x0000000000B40000-0x0000000000B41000-memory.dmp
memory/1584-326-0x0000000002910000-0x0000000002911000-memory.dmp
memory/1584-327-0x0000000000980000-0x0000000000981000-memory.dmp
memory/1584-328-0x00000000009E0000-0x00000000009E1000-memory.dmp
memory/1584-325-0x0000000000C90000-0x0000000000C91000-memory.dmp
C:\Windows\Tasks\explorgu.job
| MD5 | e3875d47f38f03bbf388ec4866f9c6bd |
| SHA1 | 7aabf51a18fdc8913dd7639bf92c82bb1d81309b |
| SHA256 | d1de14ec51c12f8abac2276450ce7d235dc4e2dd5ac002df418ca27a2a0629de |
| SHA512 | 374e31fc83218cdadcea60bdf7b48074dcbba59c7f2934aa40e6794348c0358930c6f1d09f8c366d6369c7474c0c493b4fe44915bfd8de705e129e3dd5a17970 |
memory/1584-331-0x0000000000A30000-0x0000000000A31000-memory.dmp
memory/1584-332-0x00000000029C0000-0x00000000029C1000-memory.dmp
memory/1584-333-0x0000000002970000-0x0000000002971000-memory.dmp
memory/1584-337-0x00000000052F0000-0x00000000057BF000-memory.dmp
memory/1584-339-0x0000000001040000-0x000000000150F000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 456e161089d3c4a69a8f90d5148dfe23 |
| SHA1 | 4466839df99bbb38a0cbfd7ea31144773c19b2f0 |
| SHA256 | c7ac1b25b820fbe4aba2d3678ff758885401a4dd99b62ddab03d9714b1e95a48 |
| SHA512 | adaa36ae58ac9034b49e8608bea67d10ffa34d5843b39169a192b8040ee55e88520d9105d55e7e509674b6692da24129b070c3bfa6bc66b6d9a2d1a2cdedce77 |
memory/2200-351-0x0000000000A90000-0x0000000000F5F000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 82d327958133598c136aec5da91a3b91 |
| SHA1 | 4482acf7f7668db8538890e3c760790a26f29e21 |
| SHA256 | df2e4bd95eed85a3d6f93148a42dfd54f6c23fba4fdca92bb89309ab0da818d5 |
| SHA512 | 7c99c74b516def16adca51e8d81890f23aaa52b879d6bdaef8d45cf567578f33b1f7c157e733d686b78c89cf40601411dc9f58f3be9ffd6001827613ada97ab5 |
memory/2200-414-0x0000000000A90000-0x0000000000F5F000-memory.dmp
memory/2200-415-0x00000000023D0000-0x00000000023D1000-memory.dmp
memory/2200-418-0x0000000002370000-0x0000000002371000-memory.dmp
memory/2200-419-0x0000000002620000-0x0000000002621000-memory.dmp
memory/2200-417-0x0000000002570000-0x0000000002571000-memory.dmp
\Users\Admin\AppData\Local\Temp\598D.exe
| MD5 | 151b0a97c3b2438a5836e1a5b0d22564 |
| SHA1 | cea6f6ac5ccd04240325c156a9c1732f3e236958 |
| SHA256 | fb6c3148fc0a185e86f8a72b3983be50d0cafdc4efabbdb28c1727f1518d6c81 |
| SHA512 | 0778e039c406867aa78a247ec11fceb595e68f8edece55db1aa8b1137887bd21fb56a133de85a6df58dd3d51de07e1135655933fbd627d4711764c53e094f740 |
C:\Users\Admin\AppData\Local\Temp\tmp6596.tmp.bat
| MD5 | 19ec435b1a0be23ef1a9e86bc4291f32 |
| SHA1 | 36504d8366ea847c35b83d8704b547210b58756a |
| SHA256 | 9e4972973e3e1a2f95bdfce15bb1ec56172acd570167447d86633aa7b65e0b35 |
| SHA512 | 28ffb822131e441f049bae1c4d959165db65f7966c05049b7152b95b8016b042f0ed9435a805215997407a66f53091078a6ea05a2d51560501015362185c0f44 |
C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe
| MD5 | a3f8b60a08da0f600cfce3bb600d5cb3 |
| SHA1 | b00d7721767b717b3337b5c6dade4ebf2d56345e |
| SHA256 | 0c608a9b1e70bf8b51a681a8390c8e4743501c45b84cf4d59727aba2fc33cadb |
| SHA512 | 14f63e415133ca438d3c217d5fb3ecf0ad76e19969c54d356f46282230230f1b254fbfc8ae5f78809dc189a9648be2dc1398927b3f089c525cd1105a3843f60d |
C:\Users\Admin\AppData\Local\Temp\1000837001\goldqwer12.exe
| MD5 | 9387f5f171b50e2a7de36c8c84475595 |
| SHA1 | f68a4199c182d7eef9a6419f6925cd95e4c724e2 |
| SHA256 | 9ba6d8a8de621ad4d0580327d0d1e1915462166311611e42ddc0fd1334f25f7c |
| SHA512 | 369c9eae5e1eca04c213dd2fb64dde6ac2e5dbd7e9b63eaf89c073fed99e45ed51450feee70404f6944a59d2b97106975a5119b427e920e19f33ae750641dd24 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 92fbdfccf6a63acef2743631d16652a7 |
| SHA1 | 971968b1378dd89d59d7f84bf92f16fc68664506 |
| SHA256 | b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72 |
| SHA512 | b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AOCLKKM3JY9O9WDIB4GL.temp
| MD5 | ff1a2ad7a96ce429c4ceb99b615cabc2 |
| SHA1 | 469b9cc69c9d7a71b7caffb6e70b9b4b22a42164 |
| SHA256 | 3e9aa2cbab8fcef1f0183f0fb35eb5474ebe059f11c3f46f58dac083d90b3e7c |
| SHA512 | 6f8439cb0f6c5b4f7df27cf16c48595a6d17bf9c995711c9bfa15ca58f494f9a999cf59414b7e4507e210ada63d5982bfe42577ebf6a603fa74c5671071fe70d |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 2afdbe3b99a4736083066a13e4b5d11a |
| SHA1 | 4d4856cf02b3123ac16e63d4a448cdbcb1633546 |
| SHA256 | 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee |
| SHA512 | d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f |
C:\Users\Admin\AppData\Local\Temp\B4E6.exe
| MD5 | de64b9ff08505d9472c154bbaf03ea02 |
| SHA1 | b698c25fd9c0cb522116912a46c64c0ccc252d65 |
| SHA256 | 39d86cf02270b0b019cf0f30f1456f06df25245abaa248c5a67a3c78f9485b9e |
| SHA512 | 47823fcb618782bb14259af83a5b757d7d4b46fa1d141e99d3c4fc7d1cddb10ca90086db0cf16d5fe0565b350a971c4c68f19dc54a690d7a5a73192a0596d344 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-13 01:15
Reported
2024-03-13 01:17
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Lumma Stealer
SmokeLoader
Stealc
ZGRat
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ADC5.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ADC5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ADC5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ADC5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ADC5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5C65.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\752F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BB42.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BB42.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e0c8c1eb-a6e3-4663-915a-6b3c23fdb678\\ADC5.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\ADC5.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1716 set thread context of 3976 | N/A | C:\Users\Admin\AppData\Local\Temp\ADC5.exe | C:\Users\Admin\AppData\Local\Temp\ADC5.exe |
| PID 4772 set thread context of 2764 | N/A | C:\Users\Admin\AppData\Local\Temp\ADC5.exe | C:\Users\Admin\AppData\Local\Temp\ADC5.exe |
| PID 3508 set thread context of 372 | N/A | C:\Users\Admin\AppData\Local\Temp\BB42.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ADC5.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a43cb60342d45b1af2956ac3fdee2c53b6c422019c3b9d4364e4fd206d5ea4ef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a43cb60342d45b1af2956ac3fdee2c53b6c422019c3b9d4364e4fd206d5ea4ef.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a43cb60342d45b1af2956ac3fdee2c53b6c422019c3b9d4364e4fd206d5ea4ef.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a43cb60342d45b1af2956ac3fdee2c53b6c422019c3b9d4364e4fd206d5ea4ef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a43cb60342d45b1af2956ac3fdee2c53b6c422019c3b9d4364e4fd206d5ea4ef.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a43cb60342d45b1af2956ac3fdee2c53b6c422019c3b9d4364e4fd206d5ea4ef.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a43cb60342d45b1af2956ac3fdee2c53b6c422019c3b9d4364e4fd206d5ea4ef.exe
"C:\Users\Admin\AppData\Local\Temp\a43cb60342d45b1af2956ac3fdee2c53b6c422019c3b9d4364e4fd206d5ea4ef.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8453.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\ADC5.exe
C:\Users\Admin\AppData\Local\Temp\ADC5.exe
C:\Users\Admin\AppData\Local\Temp\ADC5.exe
C:\Users\Admin\AppData\Local\Temp\ADC5.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\e0c8c1eb-a6e3-4663-915a-6b3c23fdb678" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\ADC5.exe
"C:\Users\Admin\AppData\Local\Temp\ADC5.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\ADC5.exe
"C:\Users\Admin\AppData\Local\Temp\ADC5.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2764 -ip 2764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 576
C:\Users\Admin\AppData\Local\Temp\5C65.exe
C:\Users\Admin\AppData\Local\Temp\5C65.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\61B6.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\752F.exe
C:\Users\Admin\AppData\Local\Temp\752F.exe
C:\Users\Admin\AppData\Local\Temp\BB42.exe
C:\Users\Admin\AppData\Local\Temp\BB42.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 192.44.41.31.in-addr.arpa | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| HN | 138.204.181.135:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | 135.181.204.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 104.21.94.2:443 | resergvearyinitiani.shop | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 2.94.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 104.21.51.243:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | 242.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.51.21.104.in-addr.arpa | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | hadogarden.com | udp |
| VN | 103.216.113.30:443 | hadogarden.com | tcp |
| US | 8.8.8.8:53 | 30.113.216.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | udp |
| US | 209.141.39.59:443 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | tcp |
| US | 8.8.8.8:53 | 59.39.141.209.in-addr.arpa | udp |
| TR | 94.156.8.100:80 | 94.156.8.100 | tcp |
| US | 8.8.8.8:53 | 100.8.156.94.in-addr.arpa | udp |
Files
memory/4048-1-0x0000000000630000-0x0000000000730000-memory.dmp
memory/4048-2-0x00000000005F0000-0x00000000005FB000-memory.dmp
memory/4048-3-0x0000000000400000-0x0000000000474000-memory.dmp
memory/3576-4-0x00000000022F0000-0x0000000002306000-memory.dmp
memory/4048-5-0x0000000000400000-0x0000000000474000-memory.dmp
memory/4048-8-0x00000000005F0000-0x00000000005FB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8453.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\ADC5.exe
| MD5 | 109125669dc1ccce29f0c630d2d985eb |
| SHA1 | 2d1b211ff69b6d3ff178ee9716263631e8f39027 |
| SHA256 | 1718fb956c30c4a56490ecfc903ef34ed514ec13c1101d44ff4cf87095e5b064 |
| SHA512 | 92bbf2eb15f7083bf5b3d376e15289c5d5e027b38100ec7cf5db6f811fde1a8e21ef32c87b9dd5120c096fdfcb7307fe4987e5c92d81fbd2c2807bb076074ea9 |
memory/1716-21-0x0000000001C40000-0x0000000001CDD000-memory.dmp
memory/1716-22-0x0000000003790000-0x00000000038AB000-memory.dmp
memory/3976-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3976-25-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3976-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3976-27-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3976-39-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4772-42-0x0000000003580000-0x0000000003614000-memory.dmp
memory/2764-45-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2764-46-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2764-48-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5C65.exe
| MD5 | 9e52aa572f0afc888c098db4c0f687ff |
| SHA1 | ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b |
| SHA256 | 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443 |
| SHA512 | d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62 |
memory/3428-55-0x0000000000C90000-0x0000000001975000-memory.dmp
memory/3428-60-0x0000000001EE0000-0x0000000001EE1000-memory.dmp
memory/3428-61-0x0000000001EF0000-0x0000000001EF1000-memory.dmp
memory/3428-63-0x0000000000C90000-0x0000000001975000-memory.dmp
memory/3428-62-0x0000000001F20000-0x0000000001F21000-memory.dmp
memory/3428-66-0x0000000001F30000-0x0000000001F31000-memory.dmp
memory/3428-68-0x00000000039E0000-0x00000000039E1000-memory.dmp
memory/3428-69-0x00000000039F0000-0x00000000039F1000-memory.dmp
memory/3428-70-0x0000000000C90000-0x0000000001975000-memory.dmp
memory/3428-71-0x0000000003A00000-0x0000000003A01000-memory.dmp
memory/3428-72-0x0000000003A00000-0x0000000003A32000-memory.dmp
memory/3428-74-0x0000000003A00000-0x0000000003A32000-memory.dmp
memory/3428-75-0x0000000003A00000-0x0000000003A32000-memory.dmp
memory/3428-76-0x0000000003A00000-0x0000000003A32000-memory.dmp
memory/3428-77-0x0000000003A00000-0x0000000003A32000-memory.dmp
memory/3428-78-0x0000000000C90000-0x0000000001975000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\752F.exe
| MD5 | 450039a02217c53bd983eaf1fd34505a |
| SHA1 | 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda |
| SHA256 | d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0 |
| SHA512 | cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080 |
memory/4972-83-0x00007FF727C40000-0x00007FF7288A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BB42.exe
| MD5 | 16ba49c35d361f77a1f893dc0ed114e3 |
| SHA1 | 88dad0928de53f94783adf32cc512e058346633e |
| SHA256 | 055b172f6d59e2126821014d7482d5dc60003ec3321388957d6e97b7876220da |
| SHA512 | 29d5c0a828ea6984a2cd62eaab462b31e88b49fd60c73fc13cca1555cabff0a5ae978c5dc2f929560d72b310bba9c11ee17b0fd9666f28e1117ca22cc094f9c8 |
memory/3508-89-0x0000000000EF0000-0x000000000160C000-memory.dmp
memory/3508-88-0x0000000074F80000-0x0000000075730000-memory.dmp
memory/3508-90-0x0000000005EC0000-0x0000000005F5C000-memory.dmp
memory/3508-91-0x0000000005FE0000-0x0000000005FF0000-memory.dmp
memory/4972-92-0x00007FF727C40000-0x00007FF7288A2000-memory.dmp
memory/4972-93-0x00007FF727C40000-0x00007FF7288A2000-memory.dmp
memory/3508-94-0x0000000074F80000-0x0000000075730000-memory.dmp
memory/4972-95-0x00007FF727C40000-0x00007FF7288A2000-memory.dmp
memory/3508-96-0x0000000005FE0000-0x0000000005FF0000-memory.dmp
memory/3508-97-0x0000000007640000-0x00000000078FA000-memory.dmp
memory/3508-98-0x0000000007CE0000-0x00000000080BA000-memory.dmp
memory/3508-99-0x0000000007900000-0x0000000007C54000-memory.dmp
memory/3508-100-0x00000000080C0000-0x0000000008252000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/3508-107-0x0000000006070000-0x0000000006080000-memory.dmp
memory/3508-106-0x0000000005FE0000-0x0000000005FF0000-memory.dmp
memory/3508-109-0x0000000005FE0000-0x0000000005FF0000-memory.dmp
memory/3508-108-0x0000000005FE0000-0x0000000005FF0000-memory.dmp
memory/372-111-0x0000000000400000-0x000000000063B000-memory.dmp
memory/3508-110-0x0000000005FE0000-0x0000000005FF0000-memory.dmp
memory/3508-113-0x0000000005FE0000-0x0000000005FF0000-memory.dmp
memory/3508-115-0x0000000008630000-0x0000000008730000-memory.dmp
memory/3508-118-0x0000000074F80000-0x0000000075730000-memory.dmp
memory/3508-117-0x0000000005FE0000-0x0000000005FF0000-memory.dmp
memory/372-119-0x0000000000400000-0x000000000063B000-memory.dmp
memory/4972-120-0x00007FF727C40000-0x00007FF7288A2000-memory.dmp
memory/372-116-0x0000000000400000-0x000000000063B000-memory.dmp
memory/372-121-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/4972-160-0x00007FF727C40000-0x00007FF7288A2000-memory.dmp