Malware Analysis Report

2025-01-02 11:18

Sample ID 240313-fkaxfsdc3w
Target 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d
SHA256 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d
Tags
amadey dcrat djvu smokeloader vidar 7462cf1e49890509e46ee7ab1b511527 pub1 backdoor discovery evasion infostealer persistence ransomware rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d

Threat Level: Known bad

The file 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d was found to be: Known bad.

Malicious Activity Summary

amadey dcrat djvu smokeloader vidar 7462cf1e49890509e46ee7ab1b511527 pub1 backdoor discovery evasion infostealer persistence ransomware rat stealer trojan

Detect Vidar Stealer

Amadey

Vidar

Djvu Ransomware

SmokeLoader

Detected Djvu ransomware

UAC bypass

DcRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Uses the VBS compiler for execution

Deletes itself

Loads dropped DLL

Executes dropped EXE

Identifies Wine through registry keys

Modifies file permissions

Looks up external IP address via web service

Adds Run key to start application

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Checks SCSI registry key(s)

Delays execution with timeout.exe

System policy modification

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Runs regedit.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-13 04:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 04:55

Reported

2024-03-13 05:00

Platform

win7-20240215-en

Max time kernel

300s

Max time network

302s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Vidar

stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3577.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3577.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3577.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\3577.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d6b6f262-097b-46f2-8397-4a74c32605ab\\64DC.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\64DC.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" C:\Users\Admin\AppData\Local\Temp\455E.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3577.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\3577.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hebijig N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hebijig N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hebijig N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hebijig N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\455E.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AC3C.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3577.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 2456 N/A N/A C:\Windows\system32\cmd.exe
PID 1188 wrote to memory of 2456 N/A N/A C:\Windows\system32\cmd.exe
PID 1188 wrote to memory of 2456 N/A N/A C:\Windows\system32\cmd.exe
PID 2456 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2456 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2456 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1188 wrote to memory of 2412 N/A N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 1188 wrote to memory of 2412 N/A N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 1188 wrote to memory of 2412 N/A N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 1188 wrote to memory of 2412 N/A N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2412 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2412 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2412 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2412 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2412 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2412 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2412 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2412 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2412 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2412 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2412 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 1984 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Windows\SysWOW64\icacls.exe
PID 1984 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Windows\SysWOW64\icacls.exe
PID 1984 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Windows\SysWOW64\icacls.exe
PID 1984 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Windows\SysWOW64\icacls.exe
PID 1984 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 1984 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 1984 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 1984 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2028 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2028 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2028 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2028 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2028 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2028 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2028 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2028 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2028 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2028 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2028 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\Temp\64DC.exe
PID 2824 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
PID 2824 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
PID 2824 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
PID 2824 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
PID 3008 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
PID 3008 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
PID 3008 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
PID 3008 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
PID 3008 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
PID 3008 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
PID 3008 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
PID 3008 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
PID 3008 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
PID 3008 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
PID 3008 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
PID 2824 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe
PID 2824 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe
PID 2824 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe
PID 2824 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\64DC.exe C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe
PID 1620 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1620 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1620 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1620 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1040 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe

"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7BD4.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\64DC.exe

C:\Users\Admin\AppData\Local\Temp\64DC.exe

C:\Users\Admin\AppData\Local\Temp\64DC.exe

C:\Users\Admin\AppData\Local\Temp\64DC.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\d6b6f262-097b-46f2-8397-4a74c32605ab" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\64DC.exe

"C:\Users\Admin\AppData\Local\Temp\64DC.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\64DC.exe

"C:\Users\Admin\AppData\Local\Temp\64DC.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe

"C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe"

C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe

"C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe"

C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe

"C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1404

C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe

"C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {B62C8D17-9261-427B-BC08-535E87AFE89D} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\B2ED.exe

C:\Users\Admin\AppData\Local\Temp\B2ED.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 124

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\B7DD.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\CE1C.exe

C:\Users\Admin\AppData\Local\Temp\CE1C.exe

C:\Users\Admin\AppData\Local\Temp\3577.exe

C:\Users\Admin\AppData\Local\Temp\3577.exe

C:\Users\Admin\AppData\Local\Temp\455E.exe

C:\Users\Admin\AppData\Local\Temp\455E.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\hebijig

C:\Users\Admin\AppData\Roaming\hebijig

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4C5C.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force

C:\Program Files (x86)\Windows Mail\wab.exe

"C:\Program Files (x86)\Windows Mail\wab.exe"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\svchost.exe

"C:\Windows\System32\svchost.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"

C:\Windows\System32\calc.exe

"C:\Windows\System32\calc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"

C:\Users\Admin\AppData\Local\Temp\AC3C.exe

C:\Users\Admin\AppData\Local\Temp\AC3C.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
MX 187.211.202.16:80 sdfjhuz.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
MX 187.211.202.16:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
RU 31.41.44.192:80 trad-einmyus.com tcp
PA 190.218.35.32:80 sajdfue.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
PA 190.218.35.32:80 sajdfue.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 5.75.221.28:80 5.75.221.28 tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 104.21.51.243:443 valowaves.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 hadogarden.com udp
VN 103.75.185.76:443 hadogarden.com tcp
VN 103.75.185.76:443 hadogarden.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 drive.google.com udp
NL 142.250.179.142:443 drive.google.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
NL 195.20.16.82:443 tcp
NL 195.20.16.82:443 tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 demo.nessotechbd.com udp
US 192.185.16.114:443 demo.nessotechbd.com tcp
US 192.185.16.114:443 demo.nessotechbd.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 streamingplay.site udp
BR 45.152.46.72:443 streamingplay.site tcp
BR 45.152.46.72:443 streamingplay.site tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 185.215.113.45:80 185.215.113.45 tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 www.upload.ee udp
FR 51.91.30.159:443 www.upload.ee tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 tmpfiles.org udp
US 104.21.21.16:443 tmpfiles.org tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 valostar.org udp
US 104.21.18.207:443 valostar.org tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
NL 195.20.16.82:443 tcp
US 8.8.8.8:53 artemis-rat.com udp
US 172.67.140.87:443 artemis-rat.com tcp
NL 195.20.16.82:443 tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 www.callmanpro.com udp
US 172.67.140.87:443 artemis-rat.com tcp
AR 200.58.108.2:80 www.callmanpro.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp

Files

memory/1540-1-0x0000000000650000-0x0000000000750000-memory.dmp

memory/1540-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1540-3-0x0000000000400000-0x0000000000474000-memory.dmp

memory/1540-5-0x0000000000400000-0x0000000000474000-memory.dmp

memory/1188-4-0x0000000002E00000-0x0000000002E16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7BD4.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/2412-26-0x0000000001AB0000-0x0000000001B41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\64DC.exe

MD5 3dfc8542fbc11f1718d2bad085b8873c
SHA1 2d9e06da7f34812b0333dacc2c4a615a74c6bb04
SHA256 5bbf2510ea14d41d2d24bf1faf2771ce864ba69017dc44ad93b153a4cffc6964
SHA512 9212fe73409d42f7eceabb157c83f4a88a0b20fa9564343fc6f32c81987fe12328f3c7e16e0459c6efd6042f5144eaac39076c50e3dce8e631a98a3769c742ea

C:\Users\Admin\AppData\Local\Temp\64DC.exe

MD5 6f7c970ae7d7a5acd6509473e79a0730
SHA1 699efecbbc1c276d684584f92fba75e7d16413b5
SHA256 76796b8285e9ce4940438d53c5bc6ff04a6a799b3beff3bfbe7b52ad2e3544b8
SHA512 b3014c3821ace9012a0f2576ab87521937461d3c89c2c1aa34deb73762b62d7826c40146e39094437e0e5797e073cc25b4379862f217de75c58bf685b8b3407e

C:\Users\Admin\AppData\Local\Temp\64DC.exe

MD5 3dbeb2e1cbac80fb84bd670ae1738620
SHA1 30f67b0f9aa5a4dc230abb40dd1ed8a6f11eb1d4
SHA256 6e4bae3a43b6db76d57669e953115f02b3e66d56a1f4f14019b566af9bf52a3c
SHA512 60b4ca73a93c08e7a7e56a42674d8db9884ee9a86d89f5e833e673a8576fe17e944ef7249bf23ef8f7af60fcbf9dde18525835d36647eb02e8e93ba61726e967

memory/1984-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2412-36-0x00000000032D0000-0x00000000033EB000-memory.dmp

memory/2412-35-0x0000000001AB0000-0x0000000001B41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\64DC.exe

MD5 946144fc338bdd6b1862d357adcc4de8
SHA1 32218909ddf3b0057b01f174bb56285213bf7b54
SHA256 dfa58f6e985b4d1472037bb56ebf2fe25d7b47beb2e0f902bdbe914954bb3385
SHA512 929ab0f72fdff7bd0ea08a1750539761487c929e281317d84b32eea8ea34143f6237496286e7134deca9bdb4d3cc0bea3a23569d20e8717e61dc1b220f85f574

memory/1984-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1984-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1984-38-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\64DC.exe

MD5 902dbdcab024e24fd892bdaa5cb38ce8
SHA1 737981744d08c3af5ce53d99668f261b1f530d77
SHA256 1b5b64f53c194425537dd344bf815130f30f209da374cd42c221ff48cf343f14
SHA512 676a58255e7f81794d9542f642062668375e413a083677ea1d08207f3d519ab29223f653d71e3ebf2d2d117e80c9b4d08745167a8e473ff8b70e81c84b10cbb8

memory/2412-27-0x0000000001AB0000-0x0000000001B41000-memory.dmp

memory/2028-61-0x0000000000310000-0x00000000003A1000-memory.dmp

memory/2824-69-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2824-70-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\64DC.exe

MD5 614748cb8835fb699d714d2499f6171e
SHA1 4db5da4f1a2eaca25c72612191d4c8cad12faec1
SHA256 cc040b2eab18098799da32592854f594d3bdc7b91d5ea7cc9765ad1b9c37d11c
SHA512 dcb6d1917c77d328212a9124f98826dcd72d0c9ac985aae2b548ad6315fcd6b72ca9cea7ac777c14141afc007aa4a582dd1d80c2b057dd7aa7d7cabeb7a108ab

memory/2028-63-0x0000000000310000-0x00000000003A1000-memory.dmp

\Users\Admin\AppData\Local\Temp\64DC.exe

MD5 71d78c2b1f5fbfb5f008c2245fcadb25
SHA1 17d53e16ecdf37ae8c27a5996d5756eb9bd2aabc
SHA256 5b80f166dabef6eaa108585708c4713de778f882deae5f5f1a41d37948f9be7e
SHA512 ec46918307fa27f33841eed3c7222eca81ac33ce94ed94390c4c74bdd772857092fe2951bf599129620add6a61b3e68f98df7eee186432495f9032da982cff70

C:\Users\Admin\AppData\Local\Temp\64DC.exe

MD5 3279958f604bf9306faaa1d44b27065c
SHA1 f57beb49cc627ddd2b8dcd0f8d65974130198bb5
SHA256 8684efa68906f84f4e347d3f6ca4ccd02aaff20ae6cc9eafd17d946feb42c5c6
SHA512 9e6853b72f600be42cd327b2233d0fcc8b0f61ca7fa052468bd970e636c0de9ef387be7a2ba8453ab65fbc78542eeae11d17b847183c4f4ecf9d998019defb5c

memory/1984-59-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\64DC.exe

MD5 448013e06e7902465301a27cda737605
SHA1 4e0da95f31215e9a7179efca3b99df64a1d8a3f8
SHA256 b4636ed88d3237980efc209fb6f998483c7549bb5803d46d8d41ec77a70bf5e0
SHA512 559feec62a8640edf99603d10510b881e5cf017ba912c369a7c1faadc33226d8d84838f3d9b44168b96ccdaeb2f2281adcf9d00063f4dc51c2ddcf093e876189

\Users\Admin\AppData\Local\Temp\64DC.exe

MD5 c9eff2a0b9f3cbae78b782dd0624dd21
SHA1 ab1fc871b847576456a9dc276b5cb05aee6d8ce3
SHA256 38d4ce30f34c8ab3e442e91b4cb0bbfb03c8816217117cb44503d3a35f386b27
SHA512 42cb7ba64fb140340f7f0105ef27909f99e1b0254890bf8a15bab76678834a44004eb3d45cda9f46c2e80d3c2c3a5bf8d1820ef21ad9a7c44e7509e597fc0681

C:\Users\Admin\AppData\Local\d6b6f262-097b-46f2-8397-4a74c32605ab\64DC.exe

MD5 c8ad6fa2a63f62791aff9befebeb2f68
SHA1 3a95161d36a24dcf683d7f5d90eb1fa9f400d81a
SHA256 f6a0404e51373a43b5c07b154eab43e8b55506a453ea03dcbfaadc1a642494fa
SHA512 a10db67c387b6864c304112927293e873166a55e0d291618d4405ccc05cf1ce89094ac128de64e611caaf5c8d43a645c4943edb41971f7fe5ca736d9ef4c9602

C:\Users\Admin\AppData\Local\Temp\Cab706F.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88932cd54725d73e8efca23516272287
SHA1 02ef667107591b0b56cadb3fe7b4b9d464a56b5f
SHA256 5304c96af09ccb94448e57556d5c166a3af7ee0db1086bef5bff519a9865692f
SHA512 86d1c9635641591936ff823b9a4ee1ad3ffec053ddeaf3c04d8b2cddfb1571a3722a8398ac12b57057d2c30fb4b7d11ae37a06ddce41ea0af418de0d41802d76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 fc34c062b2bb455d9c7a373ccf3a7d04
SHA1 6d489b7f670fced329466b4fd0b7ff77a7c22a0d
SHA256 a14a3712229a25f124930369e2d3aae6f67de378b64c22ecdc282fa2c1f11ec0
SHA512 3b9006994cdc7364f51060d67a09f80c6fb970ef03acd5d4bb2d4c3342c3a68a994e1ff7291abaf9ce67fa7be19f66d14ab10ac4e92b15740e2eb15c418782c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a76a4d2836ddebbb5640efb5ffaa566b
SHA1 0e0a9a04a0b2fa6680a29bfeccdc029fe81bdbe7
SHA256 315d52f0713aa99da7c66fa92ef2599d542c068367661a42718c6b90df7a02ac
SHA512 4033d1a248c418e45dd2708582f32eda17d99724c4c956b6533eda52365453f64102ca3140d1d2e11d87e22e2d10e46c3385cddbec3a20d0c4547fc143139314

memory/2824-83-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2824-84-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 48263008937d64e9875a2b866802a8d5
SHA1 a9311ae766d7433783dcb0dd167a1838d340fde5
SHA256 d4257c406ecafa2aae85bd86b63580fae6f99464e931a69443709074a164e2d3
SHA512 6d3ba9cdba07dc9d0fc5bb8799cec88ae2339e6eed2949d2f22e55aaeab6bc8745000f85d820da295363fe6b78e6764837ef47f7281d078b340871d243ac6241

memory/2824-90-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2824-91-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2824-88-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2824-92-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe

MD5 34f19f7f121365a4249717e4435a0a8c
SHA1 37df557888cfc5ddebd060655ee6c8746d50e63b
SHA256 78c3e1c5889160b8315dff109e49024b099451342c31406c116c1f5648bc2568
SHA512 4fcf0550176bb8ca48da1dcc5017b3f67aad0b5fc8b3f5c33b5e7a73711d865137e23d2a9a64ac58303d62656dfbc73a82c1acb7f84d74ecd5061ee8a966eeaa

memory/1620-109-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1620-107-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1620-115-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1620-114-0x0000000000400000-0x0000000000644000-memory.dmp

memory/3008-113-0x0000000000230000-0x0000000000261000-memory.dmp

memory/3008-112-0x0000000001B87000-0x0000000001BA2000-memory.dmp

C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe

MD5 e4ec3d781ecbe743ba7d446db2c67096
SHA1 f4f66c61f6ef794519d184e2615ae4dadc0da409
SHA256 56026c0161c5d4bfcbb0072eb80ad36b69bfefc89353b91a83f693a241c23207
SHA512 f79ee4a0be8f4f952e6f0dc37f8ba72e3be4697cdf608aad204f7318678e72d771ecb88e6a4e7b9e1e38a7d4768c0885621d2a08d887d31e807c72052126b58e

C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe

MD5 88c5ca503e8fecbca8ee889a892b165c
SHA1 2ec61a72dc88584abda48f19fb8e4d2847264aed
SHA256 41f6207540f5197717e1c601b43c9c89a5109ff3aab98fe80f6645f0ebd2a153
SHA512 366035a481a439854094d13f8a0b9bf26e706dd43100421d92724baa1f9b1ceac74669e42e9331867a3c364f8e2f0c05d3387e5dea9d8669d29832614fa7b4b9

C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe

MD5 02d86f9571c3dbd274a28190309bb1a6
SHA1 c19d850cc14af9b3b85bbeb198aa966b7e272fc2
SHA256 14d8636e1811a0497ffeb84366df17796d2be14eb94960efd317ef014bbe0d46
SHA512 f5c5566c53d33089a70667295bf502a9a6ea786ddef7c211d792a1673fe0d71c105d10e4aaaab1675a3899bedec075e9a42fc1af165d0d87ead48a37230f6dda

C:\Users\Admin\AppData\Local\Temp\TarAEF6.tmp

MD5 90885b555e9b222dfc7398beffca7b46
SHA1 2962991e6410771d22ffe66c42762bf001e2c5c1
SHA256 3bc25b9311e65807b4e4908ffca695c9199a967ffc0176a68b60d4608b881bcf
SHA512 4df085b2190b9428bdd67a47d93529bf386dbb614c42d86371b65ccf4b287b526754226a2b196f0786c97c3f182dc641fe1c4735b6bf64b45bdcb64e70290af1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 a0b78d48bdf45f90582af04786b04ee3
SHA1 83356e84b4431582836c039151d1dcad7bdfb616
SHA256 d209243cde1f8fe5822fe5afa7adcf26edb9c85f063f619b5eda57ca1a859dc1
SHA512 ea797e6c9d892d6a8a5737a070ead2e217b05a26cb740d6f9823b2a419408108bbcc083157ac422716de5935fa0f9cd8a9a44239bc62ec4387c3d943f338a581

C:\Users\Admin\AppData\Local\Temp\TarB0B0.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe

MD5 6b99207030116c21861963cdc4debfdb
SHA1 056b357f2e6768de12f4e03cb35f2c061c608822
SHA256 49c519188ae464b2d41d99703dd63e6315356856f4bc1ebc4fb6d4c55956a025
SHA512 907a495e90b881b9c7ae9710d4b116bfcacef7cade93c64746377ee577da4ad44ee029977521ca50d69f080a7cfb4aafc6ea8877a32c0e54ac7b20963930a866

memory/2824-164-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe

MD5 b5cb8946d2e58e3bdc9acc7835f3f066
SHA1 dc234d5fc27c2788ed13d84244157bf6622882c6
SHA256 83e9885b020d373938f3e5c2a44e4e9cbb6ede67645c5232583e4169b0bc13f5
SHA512 c24d61a2598c50d0a2b0c9a09c5a7c82e688f51d972284707fd0ef2016ae3aa15ba6a2b1f0204f0d6d52ac3f452ac21e0ababdf5fa4f52d94bdda3c3d6814923

\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe

MD5 cd1daefbe2f3399fdaa07d200486e143
SHA1 da202756c0510fbdc3b14db31dfcbf9b1a53cf79
SHA256 1c60cba4195bc69193d78278556c9206228ce900537c18215ea95ebab831eed4
SHA512 2ea8352e339d649347370c35081295ebf7ba5f9127d86448a5532470bd5250f43748ba1e09cbe0f13b7f73c61f1a043bb6c0986688be4fca7501aee845abdac2

\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe

MD5 e1df82486b4d96ece5dfa184ad6ef3b2
SHA1 0228e054025dd0c4da465306633226565c891f0e
SHA256 43baf9f89e8246625a7c15714ef83f53270313e4ae2a58b172702c41e36f1aed
SHA512 9036ab857d6bbe2d848be9797c9e04fb4e67a231ed3eba87db6030dff44ba25e275258ce8da8223b76ec0fe6bda9d7a8f882a97a8102f08a76e41cccf5d26c7a

\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe

MD5 115b27e2126c6c571eb0e7c51e958732
SHA1 da833f9f812b5bd4da5ba1895a0ab506f82508ab
SHA256 a291bd9e78c267b2131bfff094cc37ac0e692b11864fabb6f8f5a8d7973a7a09
SHA512 4c86a3aeca78d85bc3660ab474fd07e760f8ded709012e459c31fc84f4565b452914fb7a3c77043ce30d6bc166fd45b56542916a99c31ec4a721ed589d4f3553

\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe

MD5 a90447ba8560044f5943349e59eaacc6
SHA1 5a3f945d8bbea21cee605e8011020b973d06e7ac
SHA256 ff2ff0f6d4ee2441f272b7f7a03ca6a149601e28ce7066ad994f36384ef17075
SHA512 6ece1cdc4c2cb0b79c0bf38210cff30647ca44ce971172f8d3a613385fb3a38029ef657982b87ed334ad1f897266045662a54efc298df1f8bb41f45591898216

\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe

MD5 eba90198a44bbdee6ae61b2b96027aab
SHA1 b72a9b4cfa3f4988022df41e42a10f198edd1754
SHA256 f56e2dd5f931e6ec53ffeeabfde0d146682351868792e7a591066285abe155af
SHA512 5caca1b6c32d3d679694dc89f72419f6ed9b6b006ee2c0c7111674afcff8d908f39eb6de544afc600e81d196f32d860dcb06717959f2c3d7c6dac0240341b081

\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe

MD5 529e1d20df82e1a01197b810fb57657e
SHA1 01a4297cef48c9205577d53fded47504bc4bc697
SHA256 c0fef2ca89a8195c47fb9495d3b60a75f2fa6e204951f75b816083e0e734e81a
SHA512 e28220925a39ed4b4bd46f0bb8ed93f5ad8298e4f40b5fb67dce818497e3e5f4e589a78cb70264e06044eee8d5463adce81e5f82ac730605aaa6aec3af80bcf1

memory/1040-177-0x0000000000332000-0x0000000000343000-memory.dmp

memory/1040-179-0x00000000001B0000-0x00000000001B4000-memory.dmp

C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe

MD5 32d1ecf7e41e5a43a377acd3e6efd29f
SHA1 611d64000651fc557e845ae21c5c41f82354d626
SHA256 b33b60894da4a2ed85904389c3dc7b702a4efc9eed5ab753b4fc5743bcbf5706
SHA512 301be0c472a2fd6f3aeb17f0f3ed94843a94aa924416ad136fbd11452c410dd5d4f85d8853374eabdef66789ca0dc7a75ec29aaa7d23f1bbafee8ef7dfbc13c2

memory/2220-182-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2220-180-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2220-175-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2220-173-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe

MD5 4fca64d1fefe25cf89d109d2376a9d65
SHA1 121f2e704a4e15af6d12b43590cc914f9f0c09f6
SHA256 0f59eca19de161a63a3d69aabe08b0af1dd6fcf5ca5196a1d2c7023644a650f5
SHA512 1eb7ee8319578d853580deea0d00a1472f2964f39a9a709ed0e25284d9a7dfbc79d7183e594bdb1bab066af5c4153c9e76aa57d5cb46514a78552674dce74f65

memory/1620-184-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1040-188-0x00000000001B0000-0x00000000001B4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1364-204-0x00000000002B2000-0x00000000002C2000-memory.dmp

memory/268-231-0x0000000000C92000-0x0000000000CA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B2ED.exe

MD5 9e52aa572f0afc888c098db4c0f687ff
SHA1 ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA256 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512 d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

memory/3028-253-0x00000000009D0000-0x00000000016B5000-memory.dmp

memory/3028-283-0x0000000000430000-0x0000000000431000-memory.dmp

\Users\Admin\AppData\Local\Temp\B2ED.exe

MD5 eefc844b4e4ddd44a375f780ac4c36d5
SHA1 9bbbe7da2992204d60b0a0fc1e667ecdbaae5be2
SHA256 8bbe04e589e1f0a6c77abf1367eed9cad34de531b55cdb98b482e592785aa2c6
SHA512 d44cdaa9ebee844dfeb50db7cf2a37904523663a17e43ddf42992f95f3d6f9da880ca5988dd68a359615493fd153599230dcfb7feca8275bf469935e462ab3d6

\Users\Admin\AppData\Local\Temp\B2ED.exe

MD5 03a2f604151f8278af8ca4eefa0df58c
SHA1 6daca600f46df42e23866e4fd743ec024e122dee
SHA256 4a30661261d3d180f5dc456e587171d6fb2ad17491721dc87cd230601eb75bbf
SHA512 aa299fba7358b2e3aa50fc1e4c83b915a719a8329175896cd21395af03843d40e44e71cb05f3f920abc543f7bac77f12c4a580ae658ae32fd982cf114196476b

\Users\Admin\AppData\Local\Temp\B2ED.exe

MD5 4c540058c8f2a15594c0393b28fc6047
SHA1 0afb832bb60e6201007fac44d4d74528a352252e
SHA256 fdb874a646ec299818bf5cfaf8383d061c72f4668e05340981af95b4f4da98d3
SHA512 c37da264d34add48a1e89f4d3e06ac92b7e04cc4f28d92d053b4b668efb6de4c54de5850c1d03b7f05a659d799db779a411338055dbc699d559dda7f68cc04dc

\Users\Admin\AppData\Local\Temp\CE1C.exe

MD5 d8133933c35b3641839b23fd75109c45
SHA1 a80e7473903a2d79fac4198bb5a80fc6ea968c87
SHA256 9393404a775a29519a48dedcefc783a2063e69a2c66cf106d23fa4d1c60ae547
SHA512 9bfdc4fdeaeb87c737aeb54ee0575a2bb1e0e13636a173e144f97559c88d05971910c7f3c569ba8a361eea349960eaf1066c41afafa4b4b35f8c91bdd20f66a4

C:\Users\Admin\AppData\Local\Temp\CE1C.exe

MD5 96baed0a5a1457e2cd34fe3d07c2c5f6
SHA1 2aacbc3af9dd46946d3ac82ff61b1585b47ab152
SHA256 1df36bc73ac4849edd93d83c5d0d291ffd66ca268615797974e836dd8a634241
SHA512 8925bc98eba987406398ddc31c6f2e9b37fd20ecd7bf997c9caf3aaa3147ff393b959c304dfa16dde3e1dd4b8cc669eed6ac1a30ae1fee6eabebe8ea0737e255

memory/3028-308-0x00000000009D0000-0x00000000016B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3577.exe

MD5 2b5e7dcf3ac39936ce5e23363b7f1ebb
SHA1 162abdb723234b8bbc9acf187bfca4c24cd60c7b
SHA256 ce82279fd80069f3135ed59d2dfebe2ec81e0b8c468785acfaabb3bec8759205
SHA512 93aba7c72311ebd98acbea00f87fe374fd933346a3a3b0d6dead83e2a1167513c9264740b0b62f6650ab513231ea52251528d507e9a695b6bf1e292c55c3e322

memory/1432-318-0x0000000000030000-0x00000000004E0000-memory.dmp

memory/1432-319-0x0000000077800000-0x0000000077802000-memory.dmp

memory/1432-320-0x0000000000030000-0x00000000004E0000-memory.dmp

memory/1432-332-0x0000000000C80000-0x0000000000C81000-memory.dmp

memory/1432-331-0x0000000000740000-0x0000000000741000-memory.dmp

memory/1432-330-0x0000000002630000-0x0000000002631000-memory.dmp

memory/1432-329-0x0000000002240000-0x0000000002241000-memory.dmp

memory/1432-328-0x0000000002410000-0x0000000002411000-memory.dmp

memory/1432-327-0x00000000021E0000-0x00000000021E1000-memory.dmp

memory/1432-326-0x0000000000A20000-0x0000000000A21000-memory.dmp

memory/1432-325-0x0000000000720000-0x0000000000721000-memory.dmp

memory/1432-324-0x0000000002780000-0x0000000002781000-memory.dmp

memory/1432-323-0x0000000002230000-0x0000000002231000-memory.dmp

memory/1432-322-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/1432-321-0x0000000002420000-0x0000000002421000-memory.dmp

memory/1432-335-0x0000000002790000-0x0000000002791000-memory.dmp

memory/1432-334-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/1432-336-0x0000000000730000-0x0000000000731000-memory.dmp

memory/1432-337-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/1432-343-0x0000000000030000-0x00000000004E0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b89fa2989233d124e0c4ad1483e38aeb
SHA1 8d73ae424817db20211ad6ee6b22a3a5574626eb
SHA256 7de600e7f26a410ced1e94a30871251fb292c4b9f444e4fc6c3f0667b9746675
SHA512 9cd37581c4578d6e3619363412c0507905df5cb3534cdddda7614c424f7570000c511d883549874bac04c3dda09b2bd1d54741dace8270ae615332f51320e82c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1dc8cd24143e122d09ba9335342e8a4
SHA1 8b64856446c398b5f814e2221d0439d2d60d882a
SHA256 756215924786430743c3d1fee8a0a1e8f8fccc3d681973b41ac80971c320de9e
SHA512 910c0a5f8b1d242d7a2502447b98c1a061d466ed49939de07078f6d2e9f986770e171aaf1b50ef3f1b8ef5c86a92cb4e00aee2a121290b16e7fa7566581384f1

\Users\Admin\AppData\Local\Temp\455E.exe

MD5 151b0a97c3b2438a5836e1a5b0d22564
SHA1 cea6f6ac5ccd04240325c156a9c1732f3e236958
SHA256 fb6c3148fc0a185e86f8a72b3983be50d0cafdc4efabbdb28c1727f1518d6c81
SHA512 0778e039c406867aa78a247ec11fceb595e68f8edece55db1aa8b1137887bd21fb56a133de85a6df58dd3d51de07e1135655933fbd627d4711764c53e094f740

C:\Users\Admin\AppData\Roaming\hebijig

MD5 762c43c78ccf4d3b35574149b834f7a7
SHA1 b024585ab11a867a05b97f4de4336c14bb4e54e5
SHA256 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d
SHA512 83d45a68b4c2a4c9b4ac55a5aa1f66e5dfd84328535f5ada2830592cc7745b6ff39aa57aefe715c9bebab552f569fce1216b8689a85cb3be3d8661e6b2a1f827

memory/2472-416-0x0000000000EA0000-0x0000000000F3E000-memory.dmp

memory/2472-417-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

memory/2472-418-0x000000001B360000-0x000000001B3E0000-memory.dmp

memory/2472-419-0x000000001CB60000-0x000000001CC50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4C5C.tmp.bat

MD5 3cd1925b3a397119505ed4096c34a437
SHA1 7f6b6e6b59497ce1192d2979ce653a7a0ca13168
SHA256 e9414a7cc8f8ee512e142c78192e0f3222da22dd8e36bad8037f907c2a519760
SHA512 88079ce9319c09db92fe8c91a7de884cd3ce210eac526fbac85f2e969835f5af5d048c526680a3da0c79c52e717aa24f61dca0d62494ab4449aee40284b25551

memory/2472-428-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

memory/1452-440-0x0000000000940000-0x0000000000A40000-memory.dmp

memory/1892-442-0x00000000005C0000-0x00000000006C0000-memory.dmp

memory/1892-443-0x0000000000400000-0x0000000000474000-memory.dmp

memory/2452-449-0x0000000001040000-0x00000000010DE000-memory.dmp

memory/2452-450-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmp

memory/2452-451-0x000000001B290000-0x000000001B310000-memory.dmp

memory/1616-457-0x000000001B6B0000-0x000000001B992000-memory.dmp

memory/1616-459-0x0000000001E80000-0x0000000001E88000-memory.dmp

memory/1616-463-0x0000000002D34000-0x0000000002D37000-memory.dmp

memory/1616-462-0x000007FEEE1D0000-0x000007FEEEB6D000-memory.dmp

memory/1616-466-0x0000000002D30000-0x0000000002DB0000-memory.dmp

memory/1616-465-0x000007FEEE1D0000-0x000007FEEEB6D000-memory.dmp

memory/1616-464-0x0000000002D30000-0x0000000002DB0000-memory.dmp

memory/1892-478-0x0000000000400000-0x0000000000474000-memory.dmp

memory/2452-505-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmp

memory/1452-508-0x0000000000940000-0x0000000000A40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AC3C.exe

MD5 de64b9ff08505d9472c154bbaf03ea02
SHA1 b698c25fd9c0cb522116912a46c64c0ccc252d65
SHA256 39d86cf02270b0b019cf0f30f1456f06df25245abaa248c5a67a3c78f9485b9e
SHA512 47823fcb618782bb14259af83a5b757d7d4b46fa1d141e99d3c4fc7d1cddb10ca90086db0cf16d5fe0565b350a971c4c68f19dc54a690d7a5a73192a0596d344

memory/1616-523-0x0000000002D30000-0x0000000002DB0000-memory.dmp

memory/3048-524-0x00000000002C0000-0x000000000031C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 04:55

Reported

2024-03-13 05:00

Platform

win10-20240221-en

Max time kernel

300s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\07f26ff5-96e5-46da-b79a-78cc234a02a9\\2F5.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\2F5.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\07f26ff5-96e5-46da-b79a-78cc234a02a9\\2F5.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\2F5.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jvatcii N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jvatcii N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jvatcii N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\jvatcii N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3428 wrote to memory of 4756 N/A N/A C:\Windows\system32\cmd.exe
PID 3428 wrote to memory of 4756 N/A N/A C:\Windows\system32\cmd.exe
PID 4756 wrote to memory of 4672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4756 wrote to memory of 4672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3428 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 3428 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 3428 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2572 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2572 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2572 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2572 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2572 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2572 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2572 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2572 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2572 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2572 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 1936 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Windows\SysWOW64\icacls.exe
PID 1936 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Windows\SysWOW64\icacls.exe
PID 1936 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Windows\SysWOW64\icacls.exe
PID 1936 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 1936 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 1936 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2180 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2180 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2180 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2180 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2180 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2180 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2180 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2180 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2180 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2180 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\Temp\2F5.exe
PID 2852 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe
PID 2852 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe
PID 2852 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe
PID 2368 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe
PID 2368 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe
PID 2368 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe
PID 2368 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe
PID 2368 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe
PID 2368 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe
PID 2368 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe
PID 2368 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe
PID 2368 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe
PID 2368 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe
PID 2852 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe
PID 2852 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe
PID 2852 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2F5.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe
PID 3720 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe
PID 3720 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe
PID 3720 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe
PID 3720 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe
PID 3720 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe
PID 3720 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe
PID 3720 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe
PID 3720 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe
PID 3720 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe
PID 3956 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 3956 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 3956 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 1564 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1564 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1564 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe

"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B3FE.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2F5.exe

C:\Users\Admin\AppData\Local\Temp\2F5.exe

C:\Users\Admin\AppData\Local\Temp\2F5.exe

C:\Users\Admin\AppData\Local\Temp\2F5.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\07f26ff5-96e5-46da-b79a-78cc234a02a9" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\2F5.exe

"C:\Users\Admin\AppData\Local\Temp\2F5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2F5.exe

"C:\Users\Admin\AppData\Local\Temp\2F5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe

"C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe"

C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe

"C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 1480

C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe

"C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe"

C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe

"C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\jvatcii

C:\Users\Admin\AppData\Roaming\jvatcii

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 192.44.41.31.in-addr.arpa udp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
KR 211.53.230.67:80 sdfjhuz.com tcp
US 8.8.8.8:53 67.230.53.211.in-addr.arpa udp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 sajdfue.com udp
US 8.8.8.8:53 sdfjhuz.com udp
PA 190.218.35.32:80 sajdfue.com tcp
UY 179.25.61.235:80 sdfjhuz.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 32.35.218.190.in-addr.arpa udp
US 8.8.8.8:53 235.61.25.179.in-addr.arpa udp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
PA 190.218.35.32:80 sajdfue.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
US 8.8.8.8:53 77.154.214.23.in-addr.arpa udp
RU 31.41.44.192:80 trad-einmyus.com tcp
DE 5.75.221.28:80 5.75.221.28 tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 28.221.75.5.in-addr.arpa udp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/3192-1-0x0000000000780000-0x0000000000880000-memory.dmp

memory/3192-3-0x0000000000400000-0x0000000000474000-memory.dmp

memory/3192-2-0x00000000005B0000-0x00000000005BB000-memory.dmp

memory/3428-4-0x00000000025F0000-0x0000000002606000-memory.dmp

memory/3192-5-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B3FE.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\2F5.exe

MD5 109125669dc1ccce29f0c630d2d985eb
SHA1 2d1b211ff69b6d3ff178ee9716263631e8f39027
SHA256 1718fb956c30c4a56490ecfc903ef34ed514ec13c1101d44ff4cf87095e5b064
SHA512 92bbf2eb15f7083bf5b3d376e15289c5d5e027b38100ec7cf5db6f811fde1a8e21ef32c87b9dd5120c096fdfcb7307fe4987e5c92d81fbd2c2807bb076074ea9

memory/2572-20-0x0000000001BA0000-0x0000000001C3C000-memory.dmp

memory/2572-21-0x0000000003750000-0x000000000386B000-memory.dmp

memory/1936-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1936-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1936-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1936-26-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\07f26ff5-96e5-46da-b79a-78cc234a02a9\2F5.exe

MD5 beb90153fff9049dabeb0617b49e6553
SHA1 4109ed25e21a11e1860b7dd02497e10daa2644c7
SHA256 63d0ec2c16b3abcc41b305e438ff0523f5f706b3ada2cb6879a42607b61da779
SHA512 cc83b2d055905d55a34b6a42c2cec3a73dcd8c5aa7b1492a17b5cc389a2e75204f44d4e77ed5c36147f85f346108423647961428a0cc5ffe29806115dea01eed

memory/1936-38-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2F5.exe

MD5 491e2fd8ab6677e7b1b4b3d6e4580e89
SHA1 6ac5feef922538d19363172bb235bdc3b53d58eb
SHA256 ec367a666d81934090d1daf27a46760d4e3675ca3a694d8c5673cbf317bb4eb5
SHA512 46dfdd44a1a1f4cbe03a15f81251b3e68b59cf1dafa11b5f6384c657671a0f74aba953c81ca53c9ca933eaccc0b4d1ba5f43f5cbec1b77ced0706712e5043d5f

memory/2180-41-0x00000000035A0000-0x000000000363E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2F5.exe

MD5 ecf1380fbc05125477dc2b3c46cf7239
SHA1 e5000d40128c6b2dfffe467bbec0fafe303dce33
SHA256 fbfdfe4178178aaec666aaeb66a6015648d85ec63674cd71a4be1d22cb268ec4
SHA512 6042c938a06a5e2011aaa96e1c8b064f652f33dfb7dc702f3652c18d7b0eea6a391a1b6161faf599cc99b7ca905128affd9b8e89391d8b85568d5e2f46d39a12

memory/2852-44-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2852-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2852-46-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 9ba84fd579eaf6662ca5f34e947a968a
SHA1 bd8dfbb4629cbafc4e075bfc3b1300e1fdab387f
SHA256 017945b76d4395b77d834bf9cf5fd3f315a57fafed7cfe3853f1aed2bbd8ddc9
SHA512 b931e47779b4a16fad2d8875a369b8903d1ae8d88332c1f421e95e3cf17782063998b1bc94378a2dc905b757e9bfa8636d352a6915ee51e73fe5c52a64b2419a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a76a4d2836ddebbb5640efb5ffaa566b
SHA1 0e0a9a04a0b2fa6680a29bfeccdc029fe81bdbe7
SHA256 315d52f0713aa99da7c66fa92ef2599d542c068367661a42718c6b90df7a02ac
SHA512 4033d1a248c418e45dd2708582f32eda17d99724c4c956b6533eda52365453f64102ca3140d1d2e11d87e22e2d10e46c3385cddbec3a20d0c4547fc143139314

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 099b6ede2a67948532447869b8ab1f6b
SHA1 4fe252f833bbb1ce49eb6691e851c0fd511bf837
SHA256 2adc5550986b2051e6787d4e56e80fa3ef58c55eb1440449885876aa83ff85d8
SHA512 96e2f9d9d5d1e6c158cfa2ce60a2a96b98ea6c7ea9853be77ebccf9f951c478d7deb4d99f885b06ee27242ddecdcaed0c5255998cae9519ac9faaea152090534

memory/2852-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2852-51-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2852-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2852-59-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2852-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2852-60-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe

MD5 88c5ca503e8fecbca8ee889a892b165c
SHA1 2ec61a72dc88584abda48f19fb8e4d2847264aed
SHA256 41f6207540f5197717e1c601b43c9c89a5109ff3aab98fe80f6645f0ebd2a153
SHA512 366035a481a439854094d13f8a0b9bf26e706dd43100421d92724baa1f9b1ceac74669e42e9331867a3c364f8e2f0c05d3387e5dea9d8669d29832614fa7b4b9

memory/4268-70-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2368-73-0x0000000001AD0000-0x0000000001BD0000-memory.dmp

memory/2368-75-0x0000000003680000-0x00000000036B1000-memory.dmp

memory/4268-74-0x0000000000400000-0x0000000000644000-memory.dmp

memory/4268-76-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2852-86-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4268-89-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2368-92-0x0000000003680000-0x00000000036B1000-memory.dmp

memory/3956-97-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3720-99-0x0000000000929000-0x000000000093A000-memory.dmp

memory/3956-103-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3720-102-0x00000000001F0000-0x00000000001F4000-memory.dmp

memory/3956-108-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3956-109-0x0000000000410000-0x0000000000411000-memory.dmp

memory/1564-128-0x0000000000950000-0x0000000000A50000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9c5b5ad54b71959e5196fa14187edc42
SHA1 e82ed6fefeb714e745309ec7310299fafc2bc554
SHA256 a33e48833363f7294f6ef27eea2940d2257bcb71598544f68152c3ebc10331f2
SHA512 2198b1491317a7bbea1471c5e74f73e2e1e0bf03e0efa4b41a0660f7ebfd5357242c741b157a80c7cc84ccbb0191c3bdbd4e9eb8e9b8a98159bea3eac960ee2e

C:\Users\Admin\AppData\Roaming\jvatcii

MD5 762c43c78ccf4d3b35574149b834f7a7
SHA1 b024585ab11a867a05b97f4de4336c14bb4e54e5
SHA256 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d
SHA512 83d45a68b4c2a4c9b4ac55a5aa1f66e5dfd84328535f5ada2830592cc7745b6ff39aa57aefe715c9bebab552f569fce1216b8689a85cb3be3d8661e6b2a1f827

memory/168-146-0x0000000000620000-0x0000000000720000-memory.dmp

memory/168-147-0x0000000000400000-0x0000000000474000-memory.dmp

memory/168-153-0x0000000000400000-0x0000000000474000-memory.dmp