Malware Analysis Report

2025-01-02 11:07

Sample ID 240314-fg5yesah9s
Target 1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50
SHA256 1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50
Tags
dcrat djvu smokeloader vidar 82df9629d6ef6fc7fe54d6eb2bc6137b pub1 backdoor discovery infostealer persistence ransomware rat stealer trojan lumma
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50

Threat Level: Known bad

The file 1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50 was found to be: Known bad.

Malicious Activity Summary

dcrat djvu smokeloader vidar 82df9629d6ef6fc7fe54d6eb2bc6137b pub1 backdoor discovery infostealer persistence ransomware rat stealer trojan lumma

Detect Vidar Stealer

DcRat

SmokeLoader

Detected Djvu ransomware

Vidar

Lumma Stealer

Djvu Ransomware

Downloads MZ/PE file

Modifies file permissions

Executes dropped EXE

Deletes itself

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 04:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 04:51

Reported

2024-03-14 04:56

Platform

win7-20240221-en

Max time kernel

300s

Max time network

227s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\54331454-c55d-4637-9278-d1f15685e838\\A111.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\A111.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\54331454-c55d-4637-9278-d1f15685e838\\A111.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\A111.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2196 N/A N/A C:\Windows\system32\cmd.exe
PID 1196 wrote to memory of 2196 N/A N/A C:\Windows\system32\cmd.exe
PID 1196 wrote to memory of 2196 N/A N/A C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2196 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2196 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1196 wrote to memory of 2852 N/A N/A C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 1196 wrote to memory of 2852 N/A N/A C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 1196 wrote to memory of 2852 N/A N/A C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 1196 wrote to memory of 2852 N/A N/A C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2724 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Windows\SysWOW64\icacls.exe
PID 2724 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Windows\SysWOW64\icacls.exe
PID 2724 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Windows\SysWOW64\icacls.exe
PID 2724 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Windows\SysWOW64\icacls.exe
PID 2724 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2724 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2724 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2724 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2040 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2040 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2040 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2040 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2040 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2040 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2040 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2040 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2040 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2040 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2040 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\Temp\A111.exe
PID 2696 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe
PID 2696 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe
PID 2696 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe
PID 2696 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe
PID 2204 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe
PID 2204 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe
PID 2204 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe
PID 2204 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe
PID 2204 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe
PID 2204 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe
PID 2204 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe
PID 2204 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe
PID 2204 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe
PID 2204 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe
PID 2204 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe
PID 2696 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe
PID 2696 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe
PID 2696 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe
PID 2696 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\A111.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe
PID 2892 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe
PID 2892 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe
PID 2892 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe
PID 2892 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe
PID 2892 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe

"C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7AAC.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\A111.exe

C:\Users\Admin\AppData\Local\Temp\A111.exe

C:\Users\Admin\AppData\Local\Temp\A111.exe

C:\Users\Admin\AppData\Local\Temp\A111.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\54331454-c55d-4637-9278-d1f15685e838" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\A111.exe

"C:\Users\Admin\AppData\Local\Temp\A111.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\A111.exe

"C:\Users\Admin\AppData\Local\Temp\A111.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe

"C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe"

C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe

"C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe"

C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe

"C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe"

C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe

"C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 1400

C:\Windows\system32\taskeng.exe

taskeng.exe {6620482D-9F38-4A4D-83A3-F524C85B4F05} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\B68.exe

C:\Users\Admin\AppData\Local\Temp\B68.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EF2.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\3151.exe

C:\Users\Admin\AppData\Local\Temp\3151.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.150.149:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
KR 210.182.29.70:80 sdfjhuz.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
KR 210.182.29.70:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
CO 186.112.12.181:80 sajdfue.com tcp
US 8.8.8.8:53 sportessentia.home.pl udp
PL 79.96.138.166:443 sportessentia.home.pl tcp
PL 79.96.138.166:443 sportessentia.home.pl tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
CO 186.112.12.181:80 sajdfue.com tcp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 5.75.221.28:80 5.75.221.28 tcp
RU 81.94.150.149:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 104.21.51.243:443 valowaves.com tcp
US 8.8.8.8:53 nessotechbd.com udp
US 192.185.16.114:443 nessotechbd.com tcp
US 192.185.16.114:443 nessotechbd.com tcp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
US 8.8.8.8:53 drive.google.com udp
NL 142.250.179.142:443 drive.google.com tcp
NL 195.20.16.82:443 tcp
NL 195.20.16.82:443 tcp
US 8.8.8.8:53 safety.co.tz udp
US 67.227.213.152:443 safety.co.tz tcp
US 67.227.213.152:443 safety.co.tz tcp
US 8.8.8.8:53 streamingplay.site udp
BR 45.152.46.72:443 streamingplay.site tcp
BR 45.152.46.72:443 streamingplay.site tcp
US 8.8.8.8:53 www.upload.ee udp
FR 51.91.30.159:443 www.upload.ee tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp

Files

memory/756-1-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/756-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/756-3-0x0000000000400000-0x0000000000720000-memory.dmp

memory/1196-4-0x0000000002E10000-0x0000000002E26000-memory.dmp

memory/756-5-0x0000000000400000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7AAC.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\A111.exe

MD5 8d76e42cbd333b2d7c3946ea1351ac7a
SHA1 800bd806ade43fb2d4f5c81a7929f3e8eeab7019
SHA256 5e1e31f5dec4546c01331bc1705d7c7509c060b00b49d88f444b336992377498
SHA512 c7bea376a671118dcc28b3e954f6484346ff8b87172b14d6fc77d772b88d32a826ff39c36426ef02d90f86cd96f6995ad2b7e344fed7ebb1d437637bb59fcb7b

memory/2852-27-0x0000000000300000-0x0000000000392000-memory.dmp

memory/2852-26-0x0000000000300000-0x0000000000392000-memory.dmp

memory/2724-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2724-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2852-28-0x00000000020D0000-0x00000000021EB000-memory.dmp

memory/2724-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2724-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2724-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2040-60-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2040-61-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2696-68-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2696-69-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA89E.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df640f771ce8afe7ff64e444ec502bde
SHA1 a22b80cf66c25654a68d8722d4a0a93d7c3abde9
SHA256 ce8ab08036aad171898c90c8d4190ba5dc3d3240ab31d4b0f55f9a02ba5f1ec9
SHA512 c77fbb68c65597dcfc429d37a6e9d280dda31f1caaf7586bfe66a19c3abdd256f334e5388a333f1f55fe2ce7dee87df1f44ffbc5da1e85532bd4982343d124ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 2cbb6a637e7a4ed3aa5181cbc0462336
SHA1 a43f3782e8feef85a53d5c8e419251c501eb47c2
SHA256 817e3a1fa5f67a5303cbc8cc07397b2424447367cc8adff696be11b0d26e1079
SHA512 6bd6379276bd3f4858304012f5f6d4d8359e1917cf6fa6c72e35b03a349e0190af877794d00811ffb07442641a0212a56d73bf176c888d661ad4bc487fdcd235

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 2ff14fb732157b20816afe0e355cc84a
SHA1 a711e7eb1a3738b3303cab8789d4a2aca26b4243
SHA256 867370548e14283f78abcac4220f565ccd77dde9230844881ddb21274df4eb92
SHA512 397e43d4978431f15287f913f34ca463a93fa00b137123dc8a8ba12cb170afa818ceef93433986ea78231bbc8320eacc5f9d1ce50dcbafc696d8d600abb7ab80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e9e958a38328b74acd69473906e161cc
SHA1 ac407594dedba43b7129f5c8cbfb7030197a6660
SHA256 4186f1994bc6fed3064b8761bc30871281675d7f6d9ecd2f5b8dc0cdbe55f029
SHA512 27e9fc770b060253b8e7758921aed974ed04225c7e896183f7361296d56f6ed1fdedc63e5648241df858a6f0e8fbb47ca9cba92995757217b77f251e752eb2a0

memory/2696-82-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2696-83-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2696-87-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2696-89-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2696-90-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe

MD5 47704f454af8641dac1af2e2768d7881
SHA1 e3341bfdec84f69684aecde18cab2864519c7728
SHA256 a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64
SHA512 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25

memory/2420-104-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2204-109-0x00000000007C0000-0x00000000008C0000-memory.dmp

memory/2204-110-0x00000000002D0000-0x0000000000301000-memory.dmp

memory/2420-111-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2420-106-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2420-113-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2696-124-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2696-112-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarD53A.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\TarD6A7.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/2892-171-0x00000000009A2000-0x00000000009B3000-memory.dmp

memory/2892-173-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2064-169-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2064-167-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2064-174-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2064-176-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2420-183-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2072-197-0x0000000000910000-0x0000000000A10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B68.exe

MD5 9e52aa572f0afc888c098db4c0f687ff
SHA1 ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA256 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512 d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

memory/2468-219-0x0000000000AF0000-0x00000000017D5000-memory.dmp

memory/2468-236-0x0000000000AF0000-0x00000000017D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3151.exe

MD5 450039a02217c53bd983eaf1fd34505a
SHA1 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda
SHA256 d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0
SHA512 cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080

memory/1824-251-0x00000000009C0000-0x0000000000AC0000-memory.dmp

memory/864-278-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/2940-308-0x0000000000270000-0x0000000000370000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 04:51

Reported

2024-03-14 04:56

Platform

win10-20240214-en

Max time kernel

154s

Max time network

257s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\aec5f534-9b59-4cc7-93ca-15a76bb8a993\\3E6C.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\3E6C.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\aec5f534-9b59-4cc7-93ca-15a76bb8a993\\3E6C.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\3E6C.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6F22.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3396 wrote to memory of 4232 N/A N/A C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 4232 N/A N/A C:\Windows\system32\cmd.exe
PID 4232 wrote to memory of 4192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4232 wrote to memory of 4192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3396 wrote to memory of 2296 N/A N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 3396 wrote to memory of 2296 N/A N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 3396 wrote to memory of 2296 N/A N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 2296 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 2296 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 2296 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 2296 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 2296 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 2296 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 2296 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 2296 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 2296 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 2296 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 4852 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Windows\SysWOW64\icacls.exe
PID 4852 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Windows\SysWOW64\icacls.exe
PID 4852 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Windows\SysWOW64\icacls.exe
PID 4852 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 4852 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 4852 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 2904 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 2904 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 2904 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 2904 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 2904 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 2904 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 2904 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 2904 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 2904 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 2904 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\Temp\3E6C.exe
PID 3396 wrote to memory of 4756 N/A N/A C:\Users\Admin\AppData\Local\Temp\6F22.exe
PID 3396 wrote to memory of 4756 N/A N/A C:\Users\Admin\AppData\Local\Temp\6F22.exe
PID 3396 wrote to memory of 4756 N/A N/A C:\Users\Admin\AppData\Local\Temp\6F22.exe
PID 4756 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\6F22.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4756 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\6F22.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4756 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\6F22.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4756 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\6F22.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4756 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\6F22.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4756 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\6F22.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4756 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\6F22.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4756 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\6F22.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4756 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\6F22.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4596 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe
PID 4596 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe
PID 4596 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe
PID 4640 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe
PID 4640 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe
PID 4640 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe
PID 4640 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe
PID 4640 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe
PID 4640 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe
PID 4640 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe
PID 4640 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe
PID 4640 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe
PID 4640 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe
PID 4596 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe
PID 4596 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe
PID 4596 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\3E6C.exe C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe
PID 2996 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe
PID 2996 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe
PID 2996 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe

"C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9B6.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\3E6C.exe

C:\Users\Admin\AppData\Local\Temp\3E6C.exe

C:\Users\Admin\AppData\Local\Temp\3E6C.exe

C:\Users\Admin\AppData\Local\Temp\3E6C.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\aec5f534-9b59-4cc7-93ca-15a76bb8a993" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\3E6C.exe

"C:\Users\Admin\AppData\Local\Temp\3E6C.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\3E6C.exe

"C:\Users\Admin\AppData\Local\Temp\3E6C.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6F22.exe

C:\Users\Admin\AppData\Local\Temp\6F22.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1168

C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe

"C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe"

C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe

"C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe"

C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe

"C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1488

C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe

"C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\9A65.exe

C:\Users\Admin\AppData\Local\Temp\9A65.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9FB5.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 984

C:\Users\Admin\AppData\Local\Temp\C3F7.exe

C:\Users\Admin\AppData\Local\Temp\C3F7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.150.149:80 trad-einmyus.com tcp
US 8.8.8.8:53 149.150.94.81.in-addr.arpa udp
US 8.8.8.8:53 sdfjhuz.com udp
KR 210.182.29.70:80 sdfjhuz.com tcp
US 8.8.8.8:53 70.29.182.210.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 sportessentia.home.pl udp
KR 210.182.29.70:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
CO 186.112.12.181:80 sajdfue.com tcp
PL 79.96.138.166:443 sportessentia.home.pl tcp
US 8.8.8.8:53 166.138.96.79.in-addr.arpa udp
US 8.8.8.8:53 181.12.112.186.in-addr.arpa udp
US 8.8.8.8:53 theonlyreasonwhywe.pro udp
US 104.21.38.37:443 theonlyreasonwhywe.pro tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 wisemassiveharmonious.shop udp
US 104.21.80.130:443 wisemassiveharmonious.shop tcp
US 8.8.8.8:53 37.38.21.104.in-addr.arpa udp
US 8.8.8.8:53 130.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
CO 186.112.12.181:80 sajdfue.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 5.75.221.28:80 5.75.221.28 tcp
US 8.8.8.8:53 77.154.214.23.in-addr.arpa udp
US 8.8.8.8:53 28.221.75.5.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
RU 81.94.150.149:80 trad-einmyus.com tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 8.8.8.8:53 valowaves.com udp
US 172.67.192.62:443 valowaves.com tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 62.192.67.172.in-addr.arpa udp
US 8.8.8.8:53 nessotechbd.com udp
US 192.185.16.114:443 nessotechbd.com tcp
US 8.8.8.8:53 114.16.185.192.in-addr.arpa udp

Files

memory/2192-1-0x00000000008C0000-0x00000000009C0000-memory.dmp

memory/2192-2-0x0000000000860000-0x000000000086B000-memory.dmp

memory/2192-3-0x0000000000400000-0x0000000000720000-memory.dmp

memory/3396-4-0x0000000000EB0000-0x0000000000EC6000-memory.dmp

memory/2192-5-0x0000000000400000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D9B6.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\3E6C.exe

MD5 8d76e42cbd333b2d7c3946ea1351ac7a
SHA1 800bd806ade43fb2d4f5c81a7929f3e8eeab7019
SHA256 5e1e31f5dec4546c01331bc1705d7c7509c060b00b49d88f444b336992377498
SHA512 c7bea376a671118dcc28b3e954f6484346ff8b87172b14d6fc77d772b88d32a826ff39c36426ef02d90f86cd96f6995ad2b7e344fed7ebb1d437637bb59fcb7b

memory/4852-20-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3E6C.exe

MD5 69b62b8e3549a8849780b4031f0946fd
SHA1 ab7a831ee201ec9cbc21a396c0f20f142602ca48
SHA256 6b7d494c1a0b31cb004a00e8a69815732dfb8e7e2670c3496b554144970a3af5
SHA512 82f6f7a860faef4004d0b454bbd068cc2e06cbe02ecffa56cd760d679ab967831c62c3ddcc880ee36f92be406030cf8022f4c223410a02df531c7fe0034edf8b

memory/2296-21-0x0000000002280000-0x000000000231A000-memory.dmp

memory/2296-24-0x0000000002420000-0x000000000253B000-memory.dmp

memory/4852-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4852-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4852-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4852-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2904-41-0x0000000002310000-0x00000000023AF000-memory.dmp

memory/4596-44-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4596-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4596-46-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 cba4fdc6b8bb239d79bdad89a8142d69
SHA1 6bfe0cf22001695afbb462a9ad4b19e24daa2b7a
SHA256 463306afbd8ccee07154bbce7ca117ff95cec22cd385e9e59056139b15542cd9
SHA512 69d71d3b7fca3dc45646cd36d507fe1c4bf133498b89ec0b7d357334980d3af0ed4d195d4a30e7b7a9f81e715714e3aaaaf822a5eb7d024d19eb99df3716d197

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 2ff14fb732157b20816afe0e355cc84a
SHA1 a711e7eb1a3738b3303cab8789d4a2aca26b4243
SHA256 867370548e14283f78abcac4220f565ccd77dde9230844881ddb21274df4eb92
SHA512 397e43d4978431f15287f913f34ca463a93fa00b137123dc8a8ba12cb170afa818ceef93433986ea78231bbc8320eacc5f9d1ce50dcbafc696d8d600abb7ab80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 deba5e523114933edca18128935d6b69
SHA1 eff7d3e9e65f7dc6a67f699af2d75fe65d13f62e
SHA256 c1689e7800c2de463ceb7c713699381a88890a9d84430be24ba17f1b8bfb911a
SHA512 a3372c0ab6553cc9f498cba3f21c241f988133456dca63eb2e78c11b1ae8627047f20506c93bc651a5f78ed87a324fdb2fbcc9a87e21981cbd38bac076def26c

memory/4596-51-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4596-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4596-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4596-59-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4596-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4596-60-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6F22.exe

MD5 b0500750ede1bc70901508bacc7ab0b8
SHA1 c6efe4c7b811e6c3eed32f2f70ae7a6ac847c2e8
SHA256 04ee06f5a05400d75674fae38ed7d2938468d096cee29f2c896aa8c610fbe5bc
SHA512 f09f5031d10fd2c65ec1d8937035902c2273f3f3f36e386142406ae0079fe6c7fbd68e7ea9c8001dedc119ef4d321ad37ff61069f8242806114e352a815c1be5

memory/4756-66-0x0000000000410000-0x000000000049E000-memory.dmp

memory/4756-67-0x00000000726F0000-0x0000000072DDE000-memory.dmp

memory/4756-68-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

memory/4808-71-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4808-75-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4756-76-0x00000000726F0000-0x0000000072DDE000-memory.dmp

memory/4756-77-0x00000000027E0000-0x00000000047E0000-memory.dmp

memory/4808-79-0x0000000001170000-0x00000000011B0000-memory.dmp

memory/4808-80-0x0000000001170000-0x00000000011B0000-memory.dmp

memory/4808-82-0x0000000001170000-0x00000000011B0000-memory.dmp

memory/4808-81-0x0000000001170000-0x00000000011B0000-memory.dmp

memory/4808-83-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4808-84-0x0000000001170000-0x00000000011B0000-memory.dmp

C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe

MD5 81860aeef694d87233ec969091eadaab
SHA1 d0b141d3107bfde4d3937bbc7fdcecb12158f537
SHA256 088baa736a22dc259395a4cc42ab9ca457f41d5b777169aee667357c85586fb5
SHA512 7ecdf8497dc82f7276036a9a00665a518939457d5f470adf741a13c45daff9df2cf217adecb9e87ee3e66a545e8e846a9da83179a4bf562afe01db2f5cdd5e28

C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe

MD5 7ee7525aacb233a344f8bb32295c2c63
SHA1 554e08c5e5334b3d43dae290719a16574c460213
SHA256 80c15829e1dd7192977bc526fa770d5dd0780f97379ec41265632238357cd571
SHA512 959dba5566a31b11df2f493a57afaf62ee25d0c9f7aad9941a8ddedf18f23acbd7b42c735d5aee815fdc832ca166524e9096d0141b38ff9d48696558e5a3cc95

memory/1216-93-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe

MD5 859b0355ac2325c3d677f8d116a89f4b
SHA1 9f685cf73e5533a0ab9dd6a045a3157672a7526d
SHA256 56732ddb1ba43a542444cda37dbe9697892b2d091c3d415fbfbcb6fa413abc38
SHA512 3ba315fbb9c3cf90322ce7a60553ce0cf5b94c77ef2459f3cc2dab8c44fabcb6272976e2362989b99feb4227e3b7d00676a10e2415ef2ca0daba229744632ab2

memory/4640-99-0x0000000002370000-0x00000000023A1000-memory.dmp

memory/4640-98-0x00000000009D0000-0x0000000000AD0000-memory.dmp

memory/1216-97-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1216-100-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/4596-107-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4808-111-0x0000000001170000-0x00000000011B0000-memory.dmp

memory/4756-110-0x00000000027E0000-0x00000000047E0000-memory.dmp

memory/4808-114-0x0000000001170000-0x00000000011B0000-memory.dmp

memory/4808-113-0x0000000001170000-0x00000000011B0000-memory.dmp

memory/4808-112-0x0000000001170000-0x00000000011B0000-memory.dmp

memory/4808-116-0x0000000000400000-0x000000000044B000-memory.dmp

memory/1216-117-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2996-122-0x00000000008C0000-0x00000000009C0000-memory.dmp

memory/3624-121-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2996-124-0x0000000000850000-0x0000000000854000-memory.dmp

memory/3624-126-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3624-128-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3624-129-0x0000000000410000-0x00000000004D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9A65.exe

MD5 211c64909e5465d1ed9d34e71b96178a
SHA1 06b13863f70835c25f8d0e85ffcb82c72b3861db
SHA256 9b6f84501d8cd41db204d50603f0e70b7d327c30fa0f9360b625b866012c1c1f
SHA512 10a1626368d670a9ddc3c4baadce10a02b2dc1680eb440e5748837f6abafb529753a27d714c1039c610e9c5d9a435c2e83f36ed74758cf9c5df6f74c6991f1ad

C:\Users\Admin\AppData\Local\Temp\9A65.exe

MD5 6f7463aeb9e4f15de46d6ba84faa030f
SHA1 653091aefec23b030c6b1387da94d0cd7bf21782
SHA256 e999d89cad5a4db4694c196690aa67feee5321856f7c16dc26acdf7e809bdb7b
SHA512 06ddf3cd0d798f8f61a593714e96f4ffa49f6212eb5b83147a3b70d2a13c85de6fca46bb01af0508e240d0b1d44720b36e0691338de2b78f92f5d47ede8e7068

memory/4144-146-0x0000000001190000-0x0000000001E75000-memory.dmp

memory/4144-151-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/4144-152-0x0000000000C60000-0x0000000000C61000-memory.dmp

memory/4144-153-0x0000000000C90000-0x0000000000C91000-memory.dmp

memory/4144-155-0x0000000001190000-0x0000000001E75000-memory.dmp

memory/4144-154-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/4144-156-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/4144-157-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

memory/4144-164-0x0000000000CD0000-0x0000000000D10000-memory.dmp

memory/4144-163-0x0000000000CD0000-0x0000000000D10000-memory.dmp

memory/4144-162-0x0000000000CD0000-0x0000000000D10000-memory.dmp

memory/4144-161-0x0000000000CD0000-0x0000000000D10000-memory.dmp

memory/4144-160-0x0000000000CD0000-0x0000000000D10000-memory.dmp

memory/4144-159-0x0000000000CD0000-0x0000000000D10000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 7abba8174677b3c4d585cd620e6f0c6b
SHA1 2de166d22c395e3d8fddc964b145a10f14653e5b
SHA256 5b32fbd2dde8751cc9db1e650703b8054f864b344f20bce83ecb79b9a77342a1
SHA512 8bac1c3c3ee0bb25870d1b288cd5d563294795681b0942a4b89182214b48ab8ece50d445f9faac0d4776e7395567b5ca867e1008e49d6e147e7e904682ae8d18

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 3da1b5ed8f1ce98cedee78df26dae863
SHA1 37d6ae05a68479fe0156b82f68cbfb89945cc4b5
SHA256 fa3b9227c86565c67075010ce66bd675a3d0f59bab481c4f534440f56970c87c
SHA512 61cd9b206d7c8475e88996f89d0c94539b22d64357d1495899557050036e5281a29b6e1975a1d912f068d8bd1df251fd7bc93a368af0d67d49693f9cd5c1b9f8

memory/4144-171-0x0000000001190000-0x0000000001E75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C3F7.exe

MD5 3e55421d8b308ec86e5e4c8bead5fc70
SHA1 226aeeb843770fa7085f4d0848cc7862c107ffc4
SHA256 9c32cea5e3163fcacea2fd39108176538d7dac20a231588518558472206c9bd0
SHA512 16f81970039e85aa5d25acea8c77b01cb8a1dfed886d2d4dea837dcb78f3490341bc5777a998c0c09ff67e08f90a4ffdc4d8c41a58c6df5ff3e63ddb37a6383b

C:\Users\Admin\AppData\Local\Temp\C3F7.exe

MD5 b7423c8f3613c79f62bad2f058542eb7
SHA1 f4508c4fdaee371d8c9c3b19ed0c02be01fa1882
SHA256 c76ff1672abfa3dde264bde19669bbc9590198bb677b50afc95959c824036ca3
SHA512 6e565085fe8ca69ffbdbcc5042b3ab0646be1fc24a62aad7e86bb4d2908ff24f23bb9054269cea8f3d1898cce115988a975754b7862441dd378b3a76544d82a8