Analysis Overview
SHA256
1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50
Threat Level: Known bad
The file 1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50 was found to be: Known bad.
Malicious Activity Summary
Detect Vidar Stealer
DcRat
SmokeLoader
Detected Djvu ransomware
Vidar
Lumma Stealer
Djvu Ransomware
Downloads MZ/PE file
Modifies file permissions
Executes dropped EXE
Deletes itself
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-14 04:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-14 04:51
Reported
2024-03-14 04:56
Platform
win7-20240221-en
Max time kernel
300s
Max time network
227s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\54331454-c55d-4637-9278-d1f15685e838\\A111.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\A111.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Vidar
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A111.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\54331454-c55d-4637-9278-d1f15685e838\\A111.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\A111.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe
"C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7AAC.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\A111.exe
C:\Users\Admin\AppData\Local\Temp\A111.exe
C:\Users\Admin\AppData\Local\Temp\A111.exe
C:\Users\Admin\AppData\Local\Temp\A111.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\54331454-c55d-4637-9278-d1f15685e838" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\A111.exe
"C:\Users\Admin\AppData\Local\Temp\A111.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\A111.exe
"C:\Users\Admin\AppData\Local\Temp\A111.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe
"C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe"
C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe
"C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe"
C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe
"C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe"
C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe
"C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 1400
C:\Windows\system32\taskeng.exe
taskeng.exe {6620482D-9F38-4A4D-83A3-F524C85B4F05} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\B68.exe
C:\Users\Admin\AppData\Local\Temp\B68.exe
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EF2.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\3151.exe
C:\Users\Admin\AppData\Local\Temp\3151.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 81.94.150.149:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| KR | 210.182.29.70:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| KR | 210.182.29.70:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| CO | 186.112.12.181:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | sportessentia.home.pl | udp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| CO | 186.112.12.181:80 | sajdfue.com | tcp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| DE | 5.75.221.28:80 | 5.75.221.28 | tcp |
| RU | 81.94.150.149:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 104.21.51.243:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | nessotechbd.com | udp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 8.8.8.8:53 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | udp |
| US | 209.141.39.59:443 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| NL | 142.250.179.142:443 | drive.google.com | tcp |
| NL | 195.20.16.82:443 | tcp | |
| NL | 195.20.16.82:443 | tcp | |
| US | 8.8.8.8:53 | safety.co.tz | udp |
| US | 67.227.213.152:443 | safety.co.tz | tcp |
| US | 67.227.213.152:443 | safety.co.tz | tcp |
| US | 8.8.8.8:53 | streamingplay.site | udp |
| BR | 45.152.46.72:443 | streamingplay.site | tcp |
| BR | 45.152.46.72:443 | streamingplay.site | tcp |
| US | 8.8.8.8:53 | www.upload.ee | udp |
| FR | 51.91.30.159:443 | www.upload.ee | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
Files
memory/756-1-0x00000000007D0000-0x00000000008D0000-memory.dmp
memory/756-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/756-3-0x0000000000400000-0x0000000000720000-memory.dmp
memory/1196-4-0x0000000002E10000-0x0000000002E26000-memory.dmp
memory/756-5-0x0000000000400000-0x0000000000720000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7AAC.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\A111.exe
| MD5 | 8d76e42cbd333b2d7c3946ea1351ac7a |
| SHA1 | 800bd806ade43fb2d4f5c81a7929f3e8eeab7019 |
| SHA256 | 5e1e31f5dec4546c01331bc1705d7c7509c060b00b49d88f444b336992377498 |
| SHA512 | c7bea376a671118dcc28b3e954f6484346ff8b87172b14d6fc77d772b88d32a826ff39c36426ef02d90f86cd96f6995ad2b7e344fed7ebb1d437637bb59fcb7b |
memory/2852-27-0x0000000000300000-0x0000000000392000-memory.dmp
memory/2852-26-0x0000000000300000-0x0000000000392000-memory.dmp
memory/2724-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2724-33-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2852-28-0x00000000020D0000-0x00000000021EB000-memory.dmp
memory/2724-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2724-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2724-58-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2040-60-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2040-61-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2696-68-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2696-69-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabA89E.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | df640f771ce8afe7ff64e444ec502bde |
| SHA1 | a22b80cf66c25654a68d8722d4a0a93d7c3abde9 |
| SHA256 | ce8ab08036aad171898c90c8d4190ba5dc3d3240ab31d4b0f55f9a02ba5f1ec9 |
| SHA512 | c77fbb68c65597dcfc429d37a6e9d280dda31f1caaf7586bfe66a19c3abdd256f334e5388a333f1f55fe2ce7dee87df1f44ffbc5da1e85532bd4982343d124ed |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 2cbb6a637e7a4ed3aa5181cbc0462336 |
| SHA1 | a43f3782e8feef85a53d5c8e419251c501eb47c2 |
| SHA256 | 817e3a1fa5f67a5303cbc8cc07397b2424447367cc8adff696be11b0d26e1079 |
| SHA512 | 6bd6379276bd3f4858304012f5f6d4d8359e1917cf6fa6c72e35b03a349e0190af877794d00811ffb07442641a0212a56d73bf176c888d661ad4bc487fdcd235 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 2ff14fb732157b20816afe0e355cc84a |
| SHA1 | a711e7eb1a3738b3303cab8789d4a2aca26b4243 |
| SHA256 | 867370548e14283f78abcac4220f565ccd77dde9230844881ddb21274df4eb92 |
| SHA512 | 397e43d4978431f15287f913f34ca463a93fa00b137123dc8a8ba12cb170afa818ceef93433986ea78231bbc8320eacc5f9d1ce50dcbafc696d8d600abb7ab80 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | e9e958a38328b74acd69473906e161cc |
| SHA1 | ac407594dedba43b7129f5c8cbfb7030197a6660 |
| SHA256 | 4186f1994bc6fed3064b8761bc30871281675d7f6d9ecd2f5b8dc0cdbe55f029 |
| SHA512 | 27e9fc770b060253b8e7758921aed974ed04225c7e896183f7361296d56f6ed1fdedc63e5648241df858a6f0e8fbb47ca9cba92995757217b77f251e752eb2a0 |
memory/2696-82-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2696-83-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2696-87-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2696-89-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2696-90-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build2.exe
| MD5 | 47704f454af8641dac1af2e2768d7881 |
| SHA1 | e3341bfdec84f69684aecde18cab2864519c7728 |
| SHA256 | a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64 |
| SHA512 | 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25 |
memory/2420-104-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2204-109-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/2204-110-0x00000000002D0000-0x0000000000301000-memory.dmp
memory/2420-111-0x0000000000400000-0x0000000000644000-memory.dmp
memory/2420-106-0x0000000000400000-0x0000000000644000-memory.dmp
memory/2420-113-0x0000000000400000-0x0000000000644000-memory.dmp
C:\Users\Admin\AppData\Local\bd7fd048-cb82-4afd-b728-dfd4b63250b0\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2696-124-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2696-112-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarD53A.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\TarD6A7.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
memory/2892-171-0x00000000009A2000-0x00000000009B3000-memory.dmp
memory/2892-173-0x0000000000220000-0x0000000000224000-memory.dmp
memory/2064-169-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2064-167-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2064-174-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2064-176-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2420-183-0x0000000000400000-0x0000000000644000-memory.dmp
memory/2072-197-0x0000000000910000-0x0000000000A10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B68.exe
| MD5 | 9e52aa572f0afc888c098db4c0f687ff |
| SHA1 | ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b |
| SHA256 | 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443 |
| SHA512 | d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62 |
memory/2468-219-0x0000000000AF0000-0x00000000017D5000-memory.dmp
memory/2468-236-0x0000000000AF0000-0x00000000017D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3151.exe
| MD5 | 450039a02217c53bd983eaf1fd34505a |
| SHA1 | 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda |
| SHA256 | d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0 |
| SHA512 | cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080 |
memory/1824-251-0x00000000009C0000-0x0000000000AC0000-memory.dmp
memory/864-278-0x00000000002D0000-0x00000000003D0000-memory.dmp
memory/2940-308-0x0000000000270000-0x0000000000370000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-14 04:51
Reported
2024-03-14 04:56
Platform
win10-20240214-en
Max time kernel
154s
Max time network
257s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\aec5f534-9b59-4cc7-93ca-15a76bb8a993\\3E6C.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\3E6C.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Lumma Stealer
SmokeLoader
Vidar
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3E6C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3E6C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3E6C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3E6C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6F22.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9A65.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C3F7.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\aec5f534-9b59-4cc7-93ca-15a76bb8a993\\3E6C.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\3E6C.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2296 set thread context of 4852 | N/A | C:\Users\Admin\AppData\Local\Temp\3E6C.exe | C:\Users\Admin\AppData\Local\Temp\3E6C.exe |
| PID 2904 set thread context of 4596 | N/A | C:\Users\Admin\AppData\Local\Temp\3E6C.exe | C:\Users\Admin\AppData\Local\Temp\3E6C.exe |
| PID 4756 set thread context of 4808 | N/A | C:\Users\Admin\AppData\Local\Temp\6F22.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4640 set thread context of 1216 | N/A | C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe | C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe |
| PID 2996 set thread context of 3624 | N/A | C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe | C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6F22.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe
"C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9B6.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\3E6C.exe
C:\Users\Admin\AppData\Local\Temp\3E6C.exe
C:\Users\Admin\AppData\Local\Temp\3E6C.exe
C:\Users\Admin\AppData\Local\Temp\3E6C.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\aec5f534-9b59-4cc7-93ca-15a76bb8a993" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\3E6C.exe
"C:\Users\Admin\AppData\Local\Temp\3E6C.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\3E6C.exe
"C:\Users\Admin\AppData\Local\Temp\3E6C.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\6F22.exe
C:\Users\Admin\AppData\Local\Temp\6F22.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1168
C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe
"C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe"
C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe
"C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe"
C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe
"C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1488
C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe
"C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\9A65.exe
C:\Users\Admin\AppData\Local\Temp\9A65.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9FB5.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 984
C:\Users\Admin\AppData\Local\Temp\C3F7.exe
C:\Users\Admin\AppData\Local\Temp\C3F7.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 81.94.150.149:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 149.150.94.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| KR | 210.182.29.70:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | 70.29.182.210.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | sportessentia.home.pl | udp |
| KR | 210.182.29.70:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| CO | 186.112.12.181:80 | sajdfue.com | tcp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| US | 8.8.8.8:53 | 166.138.96.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.12.112.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | theonlyreasonwhywe.pro | udp |
| US | 104.21.38.37:443 | theonlyreasonwhywe.pro | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | wisemassiveharmonious.shop | udp |
| US | 104.21.80.130:443 | wisemassiveharmonious.shop | tcp |
| US | 8.8.8.8:53 | 37.38.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| CO | 186.112.12.181:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| DE | 5.75.221.28:80 | 5.75.221.28 | tcp |
| US | 8.8.8.8:53 | 77.154.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.221.75.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
| RU | 81.94.150.149:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 104.21.94.2:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | 2.94.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 172.67.192.62:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 18.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.192.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nessotechbd.com | udp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 8.8.8.8:53 | 114.16.185.192.in-addr.arpa | udp |
Files
memory/2192-1-0x00000000008C0000-0x00000000009C0000-memory.dmp
memory/2192-2-0x0000000000860000-0x000000000086B000-memory.dmp
memory/2192-3-0x0000000000400000-0x0000000000720000-memory.dmp
memory/3396-4-0x0000000000EB0000-0x0000000000EC6000-memory.dmp
memory/2192-5-0x0000000000400000-0x0000000000720000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D9B6.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\3E6C.exe
| MD5 | 8d76e42cbd333b2d7c3946ea1351ac7a |
| SHA1 | 800bd806ade43fb2d4f5c81a7929f3e8eeab7019 |
| SHA256 | 5e1e31f5dec4546c01331bc1705d7c7509c060b00b49d88f444b336992377498 |
| SHA512 | c7bea376a671118dcc28b3e954f6484346ff8b87172b14d6fc77d772b88d32a826ff39c36426ef02d90f86cd96f6995ad2b7e344fed7ebb1d437637bb59fcb7b |
memory/4852-20-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3E6C.exe
| MD5 | 69b62b8e3549a8849780b4031f0946fd |
| SHA1 | ab7a831ee201ec9cbc21a396c0f20f142602ca48 |
| SHA256 | 6b7d494c1a0b31cb004a00e8a69815732dfb8e7e2670c3496b554144970a3af5 |
| SHA512 | 82f6f7a860faef4004d0b454bbd068cc2e06cbe02ecffa56cd760d679ab967831c62c3ddcc880ee36f92be406030cf8022f4c223410a02df531c7fe0034edf8b |
memory/2296-21-0x0000000002280000-0x000000000231A000-memory.dmp
memory/2296-24-0x0000000002420000-0x000000000253B000-memory.dmp
memory/4852-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4852-25-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4852-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4852-38-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2904-41-0x0000000002310000-0x00000000023AF000-memory.dmp
memory/4596-44-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4596-45-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4596-46-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | cba4fdc6b8bb239d79bdad89a8142d69 |
| SHA1 | 6bfe0cf22001695afbb462a9ad4b19e24daa2b7a |
| SHA256 | 463306afbd8ccee07154bbce7ca117ff95cec22cd385e9e59056139b15542cd9 |
| SHA512 | 69d71d3b7fca3dc45646cd36d507fe1c4bf133498b89ec0b7d357334980d3af0ed4d195d4a30e7b7a9f81e715714e3aaaaf822a5eb7d024d19eb99df3716d197 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 2ff14fb732157b20816afe0e355cc84a |
| SHA1 | a711e7eb1a3738b3303cab8789d4a2aca26b4243 |
| SHA256 | 867370548e14283f78abcac4220f565ccd77dde9230844881ddb21274df4eb92 |
| SHA512 | 397e43d4978431f15287f913f34ca463a93fa00b137123dc8a8ba12cb170afa818ceef93433986ea78231bbc8320eacc5f9d1ce50dcbafc696d8d600abb7ab80 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | deba5e523114933edca18128935d6b69 |
| SHA1 | eff7d3e9e65f7dc6a67f699af2d75fe65d13f62e |
| SHA256 | c1689e7800c2de463ceb7c713699381a88890a9d84430be24ba17f1b8bfb911a |
| SHA512 | a3372c0ab6553cc9f498cba3f21c241f988133456dca63eb2e78c11b1ae8627047f20506c93bc651a5f78ed87a324fdb2fbcc9a87e21981cbd38bac076def26c |
memory/4596-51-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4596-52-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4596-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4596-59-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4596-58-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4596-60-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6F22.exe
| MD5 | b0500750ede1bc70901508bacc7ab0b8 |
| SHA1 | c6efe4c7b811e6c3eed32f2f70ae7a6ac847c2e8 |
| SHA256 | 04ee06f5a05400d75674fae38ed7d2938468d096cee29f2c896aa8c610fbe5bc |
| SHA512 | f09f5031d10fd2c65ec1d8937035902c2273f3f3f36e386142406ae0079fe6c7fbd68e7ea9c8001dedc119ef4d321ad37ff61069f8242806114e352a815c1be5 |
memory/4756-66-0x0000000000410000-0x000000000049E000-memory.dmp
memory/4756-67-0x00000000726F0000-0x0000000072DDE000-memory.dmp
memory/4756-68-0x0000000004CB0000-0x0000000004CC0000-memory.dmp
memory/4808-71-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4808-75-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4756-76-0x00000000726F0000-0x0000000072DDE000-memory.dmp
memory/4756-77-0x00000000027E0000-0x00000000047E0000-memory.dmp
memory/4808-79-0x0000000001170000-0x00000000011B0000-memory.dmp
memory/4808-80-0x0000000001170000-0x00000000011B0000-memory.dmp
memory/4808-82-0x0000000001170000-0x00000000011B0000-memory.dmp
memory/4808-81-0x0000000001170000-0x00000000011B0000-memory.dmp
memory/4808-83-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4808-84-0x0000000001170000-0x00000000011B0000-memory.dmp
C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe
| MD5 | 81860aeef694d87233ec969091eadaab |
| SHA1 | d0b141d3107bfde4d3937bbc7fdcecb12158f537 |
| SHA256 | 088baa736a22dc259395a4cc42ab9ca457f41d5b777169aee667357c85586fb5 |
| SHA512 | 7ecdf8497dc82f7276036a9a00665a518939457d5f470adf741a13c45daff9df2cf217adecb9e87ee3e66a545e8e846a9da83179a4bf562afe01db2f5cdd5e28 |
C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe
| MD5 | 7ee7525aacb233a344f8bb32295c2c63 |
| SHA1 | 554e08c5e5334b3d43dae290719a16574c460213 |
| SHA256 | 80c15829e1dd7192977bc526fa770d5dd0780f97379ec41265632238357cd571 |
| SHA512 | 959dba5566a31b11df2f493a57afaf62ee25d0c9f7aad9941a8ddedf18f23acbd7b42c735d5aee815fdc832ca166524e9096d0141b38ff9d48696558e5a3cc95 |
memory/1216-93-0x0000000000400000-0x0000000000644000-memory.dmp
C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build2.exe
| MD5 | 859b0355ac2325c3d677f8d116a89f4b |
| SHA1 | 9f685cf73e5533a0ab9dd6a045a3157672a7526d |
| SHA256 | 56732ddb1ba43a542444cda37dbe9697892b2d091c3d415fbfbcb6fa413abc38 |
| SHA512 | 3ba315fbb9c3cf90322ce7a60553ce0cf5b94c77ef2459f3cc2dab8c44fabcb6272976e2362989b99feb4227e3b7d00676a10e2415ef2ca0daba229744632ab2 |
memory/4640-99-0x0000000002370000-0x00000000023A1000-memory.dmp
memory/4640-98-0x00000000009D0000-0x0000000000AD0000-memory.dmp
memory/1216-97-0x0000000000400000-0x0000000000644000-memory.dmp
memory/1216-100-0x0000000000400000-0x0000000000644000-memory.dmp
C:\Users\Admin\AppData\Local\97b526ec-674c-4230-bbd3-208e875e4307\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/4596-107-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4808-111-0x0000000001170000-0x00000000011B0000-memory.dmp
memory/4756-110-0x00000000027E0000-0x00000000047E0000-memory.dmp
memory/4808-114-0x0000000001170000-0x00000000011B0000-memory.dmp
memory/4808-113-0x0000000001170000-0x00000000011B0000-memory.dmp
memory/4808-112-0x0000000001170000-0x00000000011B0000-memory.dmp
memory/4808-116-0x0000000000400000-0x000000000044B000-memory.dmp
memory/1216-117-0x0000000000400000-0x0000000000644000-memory.dmp
memory/2996-122-0x00000000008C0000-0x00000000009C0000-memory.dmp
memory/3624-121-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2996-124-0x0000000000850000-0x0000000000854000-memory.dmp
memory/3624-126-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3624-128-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3624-129-0x0000000000410000-0x00000000004D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9A65.exe
| MD5 | 211c64909e5465d1ed9d34e71b96178a |
| SHA1 | 06b13863f70835c25f8d0e85ffcb82c72b3861db |
| SHA256 | 9b6f84501d8cd41db204d50603f0e70b7d327c30fa0f9360b625b866012c1c1f |
| SHA512 | 10a1626368d670a9ddc3c4baadce10a02b2dc1680eb440e5748837f6abafb529753a27d714c1039c610e9c5d9a435c2e83f36ed74758cf9c5df6f74c6991f1ad |
C:\Users\Admin\AppData\Local\Temp\9A65.exe
| MD5 | 6f7463aeb9e4f15de46d6ba84faa030f |
| SHA1 | 653091aefec23b030c6b1387da94d0cd7bf21782 |
| SHA256 | e999d89cad5a4db4694c196690aa67feee5321856f7c16dc26acdf7e809bdb7b |
| SHA512 | 06ddf3cd0d798f8f61a593714e96f4ffa49f6212eb5b83147a3b70d2a13c85de6fca46bb01af0508e240d0b1d44720b36e0691338de2b78f92f5d47ede8e7068 |
memory/4144-146-0x0000000001190000-0x0000000001E75000-memory.dmp
memory/4144-151-0x00000000005A0000-0x00000000005A1000-memory.dmp
memory/4144-152-0x0000000000C60000-0x0000000000C61000-memory.dmp
memory/4144-153-0x0000000000C90000-0x0000000000C91000-memory.dmp
memory/4144-155-0x0000000001190000-0x0000000001E75000-memory.dmp
memory/4144-154-0x0000000000CA0000-0x0000000000CA1000-memory.dmp
memory/4144-156-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/4144-157-0x0000000000CC0000-0x0000000000CC1000-memory.dmp
memory/4144-164-0x0000000000CD0000-0x0000000000D10000-memory.dmp
memory/4144-163-0x0000000000CD0000-0x0000000000D10000-memory.dmp
memory/4144-162-0x0000000000CD0000-0x0000000000D10000-memory.dmp
memory/4144-161-0x0000000000CD0000-0x0000000000D10000-memory.dmp
memory/4144-160-0x0000000000CD0000-0x0000000000D10000-memory.dmp
memory/4144-159-0x0000000000CD0000-0x0000000000D10000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 7abba8174677b3c4d585cd620e6f0c6b |
| SHA1 | 2de166d22c395e3d8fddc964b145a10f14653e5b |
| SHA256 | 5b32fbd2dde8751cc9db1e650703b8054f864b344f20bce83ecb79b9a77342a1 |
| SHA512 | 8bac1c3c3ee0bb25870d1b288cd5d563294795681b0942a4b89182214b48ab8ece50d445f9faac0d4776e7395567b5ca867e1008e49d6e147e7e904682ae8d18 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 3da1b5ed8f1ce98cedee78df26dae863 |
| SHA1 | 37d6ae05a68479fe0156b82f68cbfb89945cc4b5 |
| SHA256 | fa3b9227c86565c67075010ce66bd675a3d0f59bab481c4f534440f56970c87c |
| SHA512 | 61cd9b206d7c8475e88996f89d0c94539b22d64357d1495899557050036e5281a29b6e1975a1d912f068d8bd1df251fd7bc93a368af0d67d49693f9cd5c1b9f8 |
memory/4144-171-0x0000000001190000-0x0000000001E75000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C3F7.exe
| MD5 | 3e55421d8b308ec86e5e4c8bead5fc70 |
| SHA1 | 226aeeb843770fa7085f4d0848cc7862c107ffc4 |
| SHA256 | 9c32cea5e3163fcacea2fd39108176538d7dac20a231588518558472206c9bd0 |
| SHA512 | 16f81970039e85aa5d25acea8c77b01cb8a1dfed886d2d4dea837dcb78f3490341bc5777a998c0c09ff67e08f90a4ffdc4d8c41a58c6df5ff3e63ddb37a6383b |
C:\Users\Admin\AppData\Local\Temp\C3F7.exe
| MD5 | b7423c8f3613c79f62bad2f058542eb7 |
| SHA1 | f4508c4fdaee371d8c9c3b19ed0c02be01fa1882 |
| SHA256 | c76ff1672abfa3dde264bde19669bbc9590198bb677b50afc95959c824036ca3 |
| SHA512 | 6e565085fe8ca69ffbdbcc5042b3ab0646be1fc24a62aad7e86bb4d2908ff24f23bb9054269cea8f3d1898cce115988a975754b7862441dd378b3a76544d82a8 |