Malware Analysis Report

2025-01-02 11:07

Sample ID 240314-chewvafh5t
Target 129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe
SHA256 129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a
Tags
djvu lumma smokeloader pub1 backdoor discovery persistence ransomware stealer trojan dcrat vidar 82df9629d6ef6fc7fe54d6eb2bc6137b infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a

Threat Level: Known bad

The file 129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe was found to be: Known bad.

Malicious Activity Summary

djvu lumma smokeloader pub1 backdoor discovery persistence ransomware stealer trojan dcrat vidar 82df9629d6ef6fc7fe54d6eb2bc6137b infostealer rat

SmokeLoader

DcRat

Vidar

Detect Vidar Stealer

Djvu Ransomware

Detected Djvu ransomware

Lumma Stealer

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Deletes itself

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 02:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 02:04

Reported

2024-03-14 02:06

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1DE4.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0b2fa40c-a3db-4381-b999-934772bdf8a0\\1DE4.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\1DE4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1388 set thread context of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 4536 set thread context of 4600 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 2320 set thread context of 4668 N/A C:\Users\Admin\AppData\Local\Temp\5D6F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5D6F.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3540 wrote to memory of 4872 N/A N/A C:\Windows\system32\cmd.exe
PID 3540 wrote to memory of 4872 N/A N/A C:\Windows\system32\cmd.exe
PID 4872 wrote to memory of 4372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4872 wrote to memory of 4372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3540 wrote to memory of 1388 N/A N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 3540 wrote to memory of 1388 N/A N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 3540 wrote to memory of 1388 N/A N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 1388 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 1388 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 1388 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 1388 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 1388 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 1388 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 1388 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 1388 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 1388 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 1388 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 5036 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Windows\SysWOW64\icacls.exe
PID 5036 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Windows\SysWOW64\icacls.exe
PID 5036 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Windows\SysWOW64\icacls.exe
PID 5036 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 5036 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 5036 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 4536 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 4536 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 4536 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 4536 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 4536 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 4536 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 4536 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 4536 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 4536 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 4536 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 3540 wrote to memory of 2320 N/A N/A C:\Users\Admin\AppData\Local\Temp\5D6F.exe
PID 3540 wrote to memory of 2320 N/A N/A C:\Users\Admin\AppData\Local\Temp\5D6F.exe
PID 3540 wrote to memory of 2320 N/A N/A C:\Users\Admin\AppData\Local\Temp\5D6F.exe
PID 2320 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\5D6F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2320 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\5D6F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2320 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\5D6F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2320 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\5D6F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2320 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\5D6F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2320 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\5D6F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2320 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\5D6F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2320 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\5D6F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2320 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\5D6F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe

"C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\94BE.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\1DE4.exe

C:\Users\Admin\AppData\Local\Temp\1DE4.exe

C:\Users\Admin\AppData\Local\Temp\1DE4.exe

C:\Users\Admin\AppData\Local\Temp\1DE4.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\0b2fa40c-a3db-4381-b999-934772bdf8a0" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\1DE4.exe

"C:\Users\Admin\AppData\Local\Temp\1DE4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1DE4.exe

"C:\Users\Admin\AppData\Local\Temp\1DE4.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4600 -ip 4600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 568

C:\Users\Admin\AppData\Local\Temp\5D6F.exe

C:\Users\Admin\AppData\Local\Temp\5D6F.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4668 -ip 4668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4668 -ip 4668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1240

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.150.149:80 trad-einmyus.com tcp
US 8.8.8.8:53 149.150.94.81.in-addr.arpa udp
US 8.8.8.8:53 sdfjhuz.com udp
UY 179.25.120.12:80 sdfjhuz.com tcp
US 8.8.8.8:53 12.120.25.179.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 64.134.221.88.in-addr.arpa udp
RU 81.94.150.149:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 sportessentia.home.pl udp
PL 79.96.138.166:443 sportessentia.home.pl tcp
US 8.8.8.8:53 166.138.96.79.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 theonlyreasonwhywe.pro udp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 172.67.218.191:443 theonlyreasonwhywe.pro tcp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 wisemassiveharmonious.shop udp
US 104.21.80.130:443 wisemassiveharmonious.shop tcp
US 8.8.8.8:53 191.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 130.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4012-1-0x0000000000770000-0x0000000000870000-memory.dmp

memory/4012-2-0x00000000008E0000-0x00000000008EB000-memory.dmp

memory/4012-3-0x0000000000400000-0x000000000071E000-memory.dmp

memory/3540-4-0x0000000003500000-0x0000000003516000-memory.dmp

memory/4012-5-0x0000000000400000-0x000000000071E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\94BE.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\1DE4.exe

MD5 8d76e42cbd333b2d7c3946ea1351ac7a
SHA1 800bd806ade43fb2d4f5c81a7929f3e8eeab7019
SHA256 5e1e31f5dec4546c01331bc1705d7c7509c060b00b49d88f444b336992377498
SHA512 c7bea376a671118dcc28b3e954f6484346ff8b87172b14d6fc77d772b88d32a826ff39c36426ef02d90f86cd96f6995ad2b7e344fed7ebb1d437637bb59fcb7b

memory/1388-20-0x0000000002260000-0x00000000022F8000-memory.dmp

memory/1388-21-0x0000000002440000-0x000000000255B000-memory.dmp

memory/5036-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5036-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5036-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5036-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5036-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4536-41-0x0000000002260000-0x00000000022F8000-memory.dmp

memory/4600-44-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4600-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4600-47-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5D6F.exe

MD5 b0500750ede1bc70901508bacc7ab0b8
SHA1 c6efe4c7b811e6c3eed32f2f70ae7a6ac847c2e8
SHA256 04ee06f5a05400d75674fae38ed7d2938468d096cee29f2c896aa8c610fbe5bc
SHA512 f09f5031d10fd2c65ec1d8937035902c2273f3f3f36e386142406ae0079fe6c7fbd68e7ea9c8001dedc119ef4d321ad37ff61069f8242806114e352a815c1be5

memory/2320-55-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2320-56-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/2320-57-0x0000000004D00000-0x0000000004D10000-memory.dmp

memory/4668-60-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4668-63-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2320-65-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/2320-66-0x00000000027C0000-0x00000000047C0000-memory.dmp

memory/4668-67-0x00000000007E0000-0x00000000007E1000-memory.dmp

memory/4668-68-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4668-69-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2320-70-0x00000000027C0000-0x00000000047C0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 02:04

Reported

2024-03-14 02:06

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\58d3f659-4209-4d43-b03e-937d07d797c6\\FF27.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\FF27.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\58d3f659-4209-4d43-b03e-937d07d797c6\\FF27.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\FF27.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 2608 N/A N/A C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 2608 N/A N/A C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 2608 N/A N/A C:\Windows\system32\cmd.exe
PID 2608 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2608 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2608 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1212 wrote to memory of 2076 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 1212 wrote to memory of 2076 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 1212 wrote to memory of 2076 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 1212 wrote to memory of 2076 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 2076 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 2076 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 2076 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 2076 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 2076 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 2076 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 2076 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 2076 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 2076 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 2076 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 2076 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 2816 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Windows\SysWOW64\icacls.exe
PID 2816 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Windows\SysWOW64\icacls.exe
PID 2816 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Windows\SysWOW64\icacls.exe
PID 2816 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Windows\SysWOW64\icacls.exe
PID 2816 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 2816 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 2816 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 2816 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 1028 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 1028 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 1028 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 1028 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 1028 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 1028 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 1028 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 1028 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 1028 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 1028 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 1028 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\Temp\FF27.exe
PID 1064 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe
PID 1064 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe
PID 1064 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe
PID 1064 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe
PID 1648 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe
PID 1648 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe
PID 1648 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe
PID 1648 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe
PID 1648 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe
PID 1648 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe
PID 1648 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe
PID 1648 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe
PID 1648 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe
PID 1648 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe
PID 1648 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe
PID 1064 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe
PID 1064 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe
PID 1064 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe
PID 1064 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\FF27.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe
PID 1804 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe
PID 1804 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe
PID 1804 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe
PID 1804 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe
PID 1804 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe

"C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\626B.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\FF27.exe

C:\Users\Admin\AppData\Local\Temp\FF27.exe

C:\Users\Admin\AppData\Local\Temp\FF27.exe

C:\Users\Admin\AppData\Local\Temp\FF27.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\58d3f659-4209-4d43-b03e-937d07d797c6" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\FF27.exe

"C:\Users\Admin\AppData\Local\Temp\FF27.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\FF27.exe

"C:\Users\Admin\AppData\Local\Temp\FF27.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe

"C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe"

C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe

"C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe"

C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe

"C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe"

C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe

"C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1428

C:\Windows\system32\taskeng.exe

taskeng.exe {EB08BD67-330F-4817-A539-448B7E9221C2} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.150.149:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
KR 211.40.39.251:80 sdfjhuz.com tcp
RU 81.94.150.149:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
KR 211.40.39.251:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
KR 211.171.233.126:80 sajdfue.com tcp
KR 211.171.233.126:80 sajdfue.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 5.75.221.28:80 5.75.221.28 tcp
US 8.8.8.8:53 sportessentia.home.pl udp
PL 79.96.138.166:443 sportessentia.home.pl tcp
PL 79.96.138.166:443 sportessentia.home.pl tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp

Files

memory/2976-1-0x00000000007A0000-0x00000000008A0000-memory.dmp

memory/2976-2-0x0000000000400000-0x000000000071E000-memory.dmp

memory/2976-3-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2976-5-0x0000000000400000-0x000000000071E000-memory.dmp

memory/1212-4-0x0000000002D50000-0x0000000002D66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\626B.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\FF27.exe

MD5 8d76e42cbd333b2d7c3946ea1351ac7a
SHA1 800bd806ade43fb2d4f5c81a7929f3e8eeab7019
SHA256 5e1e31f5dec4546c01331bc1705d7c7509c060b00b49d88f444b336992377498
SHA512 c7bea376a671118dcc28b3e954f6484346ff8b87172b14d6fc77d772b88d32a826ff39c36426ef02d90f86cd96f6995ad2b7e344fed7ebb1d437637bb59fcb7b

memory/2076-26-0x0000000000310000-0x00000000003A2000-memory.dmp

memory/2076-29-0x0000000000310000-0x00000000003A2000-memory.dmp

memory/2076-31-0x0000000000980000-0x0000000000A9B000-memory.dmp

memory/2816-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2816-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2816-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2816-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1028-61-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2816-60-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1028-63-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/1064-70-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1064-71-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 0315238832eb279403d147dba70d8336
SHA1 125903cbaeaaf390766cc49aa306e78d705e8770
SHA256 598a8c43829ff19aed00eaa31dabe94f26f99f1bf31fef855c1a001aad935c9d
SHA512 d1e8729eca8dbc5da55b6117803f45d7d7d813d2ebb79a22ef4099a27c196d1ca6faf857ef1bce129034da584832384e3046e99c161117c603cef5d73c44981e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 2ff14fb732157b20816afe0e355cc84a
SHA1 a711e7eb1a3738b3303cab8789d4a2aca26b4243
SHA256 867370548e14283f78abcac4220f565ccd77dde9230844881ddb21274df4eb92
SHA512 397e43d4978431f15287f913f34ca463a93fa00b137123dc8a8ba12cb170afa818ceef93433986ea78231bbc8320eacc5f9d1ce50dcbafc696d8d600abb7ab80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 4e8069d02df54b5ec94ae3d865d9548a
SHA1 58e213c62600595e3420533dcd1701237687cc20
SHA256 bc9c0d5517617bb7705c5b48dd95e842d9ee0b4bf2f286e8e996f2299a526c75
SHA512 9c05ed9a818dfb2e401100b80613b5dbe0faecf156735e95dbc3b31131b44363eb49204425abfb10d5f58fded7a5013456d15f9decf28e8954cdb80ed39c4741

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 892d3ea376f88d0dcae328f05a1701af
SHA1 cd36e01aa8225e4e7071640e803168751c33696f
SHA256 08caf83d9b86cdfb5488ff294efd0bf27b5b396517a8d55baa6361420243afca
SHA512 a141cc5639a541f88968d599f645907f7ad5b96149c1b58a0dda06272332d3eaacc65ab3c22a8c989bfc110698f48e762f3b25e10b6f70b735947424b04c9f8f

C:\Users\Admin\AppData\Local\Temp\Cab122A.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/1064-86-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1064-87-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1064-91-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1064-93-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1064-94-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1064-95-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe

MD5 47704f454af8641dac1af2e2768d7881
SHA1 e3341bfdec84f69684aecde18cab2864519c7728
SHA256 a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64
SHA512 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25

memory/1648-110-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1688-109-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1648-111-0x00000000001C0000-0x00000000001F1000-memory.dmp

memory/1688-113-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1688-116-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1688-117-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar38DD.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar3E7E.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1064-180-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1804-186-0x0000000000920000-0x0000000000A20000-memory.dmp

memory/1804-187-0x0000000000230000-0x0000000000234000-memory.dmp

memory/2980-189-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2980-185-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2980-192-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2980-194-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1688-201-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 a753a293678be299ae1c0e41d6d25178
SHA1 9091ac7e453d9f8a48248b69d559dabb5fc3e18c
SHA256 2a3c5f4ad131e02c97911392e45d146e45aaea34ecd2245ca516b5398e62746b
SHA512 f711f29ccac436f83c6296fce4e38754177ed0bed1cb57ee67412e90b758dc93bd72428e2bcfec7d66ef05fad5d5105bb128d2c6bf4f276571d5af7ef381dc13

memory/2476-212-0x0000000000972000-0x0000000000982000-memory.dmp