Malware Analysis Report

2024-09-11 16:49

Sample ID 240615-lwb7jswdqf
Target ##!!SetUp_2244_Pa$sW0rd$$!!.zip
SHA256 4598c5238bd0334b7b237e768de7e703fdcccf553062201fbe1f1addc3bfa821
Tags
stealc vidar discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4598c5238bd0334b7b237e768de7e703fdcccf553062201fbe1f1addc3bfa821

Threat Level: Known bad

The file ##!!SetUp_2244_Pa$sW0rd$$!!.zip was found to be: Known bad.

Malicious Activity Summary

stealc vidar discovery spyware stealer

Vidar

Detect Vidar Stealer

Stealc

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Accesses cryptocurrency files/wallets, possible credential harvesting

Downloads MZ/PE file

Checks computer location settings

Suspicious use of SetThreadContext

Executes dropped EXE

Drops file in Windows directory

Loads dropped DLL

Checks installed software on the system

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 09:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 09:52

Reported

2024-06-15 09:55

Platform

win7-20240221-en

Max time kernel

119s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 09:52

Reported

2024-06-15 09:56

Platform

win10v2004-20240611-en

Max time kernel

118s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2124 set thread context of 3400 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 4372 set thread context of 4620 N/A C:\ProgramData\ECAFHIIJJE.exe C:\Windows\SysWOW64\ftp.exe
PID 3280 set thread context of 2548 N/A C:\ProgramData\FCAECAKKFB.exe C:\Windows\SysWOW64\ftp.exe
PID 4620 set thread context of 916 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Watcher Com SH.job C:\Windows\SysWOW64\ftp.exe N/A
File created C:\Windows\Tasks\TWI Cloud Host.job C:\Windows\SysWOW64\ftp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\FCAECAKKFB.exe N/A
N/A N/A C:\ProgramData\ECAFHIIJJE.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\ProgramData\FCAECAKKFB.exe N/A
N/A N/A C:\ProgramData\ECAFHIIJJE.exe N/A
N/A N/A C:\ProgramData\ECAFHIIJJE.exe N/A
N/A N/A C:\ProgramData\FCAECAKKFB.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\ProgramData\ECAFHIIJJE.exe N/A
N/A N/A C:\ProgramData\FCAECAKKFB.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2124 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2124 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2124 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 3400 wrote to memory of 2156 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 3400 wrote to memory of 2156 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 3400 wrote to memory of 2156 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 3400 wrote to memory of 2156 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 3400 wrote to memory of 2156 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2156 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\FCAECAKKFB.exe
PID 2156 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\FCAECAKKFB.exe
PID 2156 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\FCAECAKKFB.exe
PID 2156 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\ECAFHIIJJE.exe
PID 2156 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\ECAFHIIJJE.exe
PID 2156 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\ECAFHIIJJE.exe
PID 4372 wrote to memory of 4620 N/A C:\ProgramData\ECAFHIIJJE.exe C:\Windows\SysWOW64\ftp.exe
PID 4372 wrote to memory of 4620 N/A C:\ProgramData\ECAFHIIJJE.exe C:\Windows\SysWOW64\ftp.exe
PID 4372 wrote to memory of 4620 N/A C:\ProgramData\ECAFHIIJJE.exe C:\Windows\SysWOW64\ftp.exe
PID 3280 wrote to memory of 2548 N/A C:\ProgramData\FCAECAKKFB.exe C:\Windows\SysWOW64\ftp.exe
PID 3280 wrote to memory of 2548 N/A C:\ProgramData\FCAECAKKFB.exe C:\Windows\SysWOW64\ftp.exe
PID 3280 wrote to memory of 2548 N/A C:\ProgramData\FCAECAKKFB.exe C:\Windows\SysWOW64\ftp.exe
PID 4372 wrote to memory of 4620 N/A C:\ProgramData\ECAFHIIJJE.exe C:\Windows\SysWOW64\ftp.exe
PID 3280 wrote to memory of 2548 N/A C:\ProgramData\FCAECAKKFB.exe C:\Windows\SysWOW64\ftp.exe
PID 2156 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 4556 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4556 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4556 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4620 wrote to memory of 916 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4620 wrote to memory of 916 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2548 wrote to memory of 4604 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 2548 wrote to memory of 4604 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 2548 wrote to memory of 4604 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 4620 wrote to memory of 916 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4620 wrote to memory of 916 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2548 wrote to memory of 4604 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\ProgramData\FCAECAKKFB.exe

"C:\ProgramData\FCAECAKKFB.exe"

C:\ProgramData\ECAFHIIJJE.exe

"C:\ProgramData\ECAFHIIJJE.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DHDBGHCBAEGC" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
BE 88.221.83.192:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 192.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 feeldog.xyz udp
US 172.67.133.78:443 feeldog.xyz tcp
US 8.8.8.8:53 78.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 58.251.201.195.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 businessdownloads.ltd udp
US 104.21.16.123:443 businessdownloads.ltd tcp
US 8.8.8.8:53 123.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 i.imgur.com udp
US 199.232.196.193:443 i.imgur.com tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 193.196.232.199.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp

Files

memory/2124-0-0x00007FFBF3450000-0x00007FFBF35C2000-memory.dmp

memory/2124-5-0x00007FFBF3468000-0x00007FFBF3469000-memory.dmp

memory/2124-6-0x00007FFBF3450000-0x00007FFBF35C2000-memory.dmp

memory/2124-7-0x00007FFBF3450000-0x00007FFBF35C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a0f4ad70

MD5 6b3fc718ef66311d05fd7f9ff83e541d
SHA1 f98cf16628a02540ec653b056c94c91932fef3c5
SHA256 a458db1e508c1742d3754f53bdea16f7686a42972073b50af25b299d6c9ad709
SHA512 08dbdd4b9e98408c0f8d29983b01655b12e8cc6734a287c4eac305b1668cf0d1363533ce608f6cc2a3f88f4124037dd46391f67a703ff24384cff40c469e4e9b

memory/3400-10-0x00007FFC01A30000-0x00007FFC01C25000-memory.dmp

memory/3400-12-0x000000007460E000-0x0000000074610000-memory.dmp

memory/3400-13-0x0000000074601000-0x000000007460F000-memory.dmp

memory/3400-17-0x0000000074601000-0x000000007460F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coml.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2156-19-0x0000000001120000-0x000000000186C000-memory.dmp

memory/2156-21-0x00007FFC01A30000-0x00007FFC01C25000-memory.dmp

memory/2156-22-0x0000000001120000-0x000000000186C000-memory.dmp

memory/2156-26-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\DHDBGHCBAEGC\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\DHDBGHCBAEGC\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\FCAECAKKFB.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

memory/2156-111-0x0000000001120000-0x000000000186C000-memory.dmp

memory/3280-114-0x0000000000500000-0x0000000000A13000-memory.dmp

C:\ProgramData\ECAFHIIJJE.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/4372-125-0x0000000000350000-0x0000000000598000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\536dc159

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

C:\Users\Admin\AppData\Local\Temp\510c46e4

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/4372-137-0x0000000072A60000-0x0000000072BDB000-memory.dmp

memory/3280-136-0x0000000072A60000-0x0000000072BDB000-memory.dmp

memory/4372-138-0x00007FFC01A30000-0x00007FFC01C25000-memory.dmp

memory/3280-139-0x00007FFC01A30000-0x00007FFC01C25000-memory.dmp

memory/2156-146-0x0000000001120000-0x000000000186C000-memory.dmp

memory/2156-147-0x0000000001120000-0x000000000186C000-memory.dmp

memory/4372-148-0x0000000072A60000-0x0000000072BDB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\565039bd

MD5 98945b4ef62413ea3bff24c4508b9fad
SHA1 11fddd10445f4c790e1d72d4c613ae9adbdf95ba
SHA256 aa4bbe20186e7ceefaa102cebaa4c0ef638303ca766c6427fad908b339ae9cc2
SHA512 7574569b1c9776c70a770c72405232ccf8b7a42636d82753c787ac1c75ad579a681ced2f7236f4e8995d61ef1d6d816405c1c10ec6e87803e710cde05f511bb4

memory/3280-151-0x0000000072A60000-0x0000000072BDB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\57db3a1d

MD5 bf3f8629b8e2e7fc2441852da544cccc
SHA1 4ba1954890997bc7cd5c592661d93e3866719dab
SHA256 39792ae7b3164d1bbbab719a408932a44be5d458020c45d23807e10c9f628fdb
SHA512 b54d07f39ff079063d1cb4e086041e8dedf216e029c0b383832dd432aa8c41c00f2df327ceee700298578c9cc96a2c50cb4e7cf0d051aca795157e9bebd40529

memory/4620-154-0x00007FFC01A30000-0x00007FFC01C25000-memory.dmp

memory/2548-155-0x00007FFC01A30000-0x00007FFC01C25000-memory.dmp

memory/2156-162-0x0000000001120000-0x000000000186C000-memory.dmp

memory/2156-171-0x0000000001120000-0x000000000186C000-memory.dmp

memory/2548-172-0x0000000072A60000-0x0000000072BDB000-memory.dmp

memory/4620-182-0x0000000072A60000-0x0000000072BDB000-memory.dmp

C:\ProgramData\DHDBGHCBAEGC\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\DHDBGHCBAEGC\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\DHDBGHCBAEGC\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

memory/916-190-0x00007FFBE26C0000-0x00007FFBE3D37000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 09:52

Reported

2024-06-15 09:56

Platform

win11-20240611-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2856 set thread context of 328 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 3028 set thread context of 3796 N/A C:\ProgramData\FBFCAKKKFB.exe C:\Windows\SysWOW64\ftp.exe
PID 5096 set thread context of 616 N/A C:\ProgramData\CBFIIEHJDB.exe C:\Windows\SysWOW64\ftp.exe
PID 616 set thread context of 3760 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Watcher Com SH.job C:\Windows\SysWOW64\ftp.exe N/A
File created C:\Windows\Tasks\TWI Cloud Host.job C:\Windows\SysWOW64\ftp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\FBFCAKKKFB.exe N/A
N/A N/A C:\ProgramData\CBFIIEHJDB.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\ProgramData\FBFCAKKKFB.exe N/A
N/A N/A C:\ProgramData\FBFCAKKKFB.exe N/A
N/A N/A C:\ProgramData\CBFIIEHJDB.exe N/A
N/A N/A C:\ProgramData\CBFIIEHJDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\ProgramData\FBFCAKKKFB.exe N/A
N/A N/A C:\ProgramData\CBFIIEHJDB.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2856 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2856 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2856 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 328 wrote to memory of 4684 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 328 wrote to memory of 4684 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 328 wrote to memory of 4684 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 328 wrote to memory of 4684 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 328 wrote to memory of 4684 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 4684 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\FBFCAKKKFB.exe
PID 4684 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\FBFCAKKKFB.exe
PID 4684 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\FBFCAKKKFB.exe
PID 3028 wrote to memory of 3796 N/A C:\ProgramData\FBFCAKKKFB.exe C:\Windows\SysWOW64\ftp.exe
PID 3028 wrote to memory of 3796 N/A C:\ProgramData\FBFCAKKKFB.exe C:\Windows\SysWOW64\ftp.exe
PID 3028 wrote to memory of 3796 N/A C:\ProgramData\FBFCAKKKFB.exe C:\Windows\SysWOW64\ftp.exe
PID 4684 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\CBFIIEHJDB.exe
PID 4684 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\CBFIIEHJDB.exe
PID 4684 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\CBFIIEHJDB.exe
PID 5096 wrote to memory of 616 N/A C:\ProgramData\CBFIIEHJDB.exe C:\Windows\SysWOW64\ftp.exe
PID 5096 wrote to memory of 616 N/A C:\ProgramData\CBFIIEHJDB.exe C:\Windows\SysWOW64\ftp.exe
PID 5096 wrote to memory of 616 N/A C:\ProgramData\CBFIIEHJDB.exe C:\Windows\SysWOW64\ftp.exe
PID 3028 wrote to memory of 3796 N/A C:\ProgramData\FBFCAKKKFB.exe C:\Windows\SysWOW64\ftp.exe
PID 5096 wrote to memory of 616 N/A C:\ProgramData\CBFIIEHJDB.exe C:\Windows\SysWOW64\ftp.exe
PID 4684 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1000 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1000 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 616 wrote to memory of 3760 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 616 wrote to memory of 3760 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 616 wrote to memory of 3760 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 616 wrote to memory of 3760 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 3796 wrote to memory of 4112 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 3796 wrote to memory of 4112 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 3796 wrote to memory of 4112 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 3796 wrote to memory of 4112 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\ProgramData\FBFCAKKKFB.exe

"C:\ProgramData\FBFCAKKKFB.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\ProgramData\CBFIIEHJDB.exe

"C:\ProgramData\CBFIIEHJDB.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AFCFHJJECAEH" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 feeldog.xyz udp
US 172.67.133.78:443 feeldog.xyz tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
NL 149.154.167.99:443 t.me tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 172.67.212.123:443 businessdownloads.ltd tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 199.232.192.193:443 i.imgur.com tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
FI 135.181.22.88:80 135.181.22.88 tcp

Files

memory/2856-0-0x00007FFFB50E0000-0x00007FFFB525A000-memory.dmp

memory/2856-5-0x00007FFFB50F8000-0x00007FFFB50F9000-memory.dmp

memory/2856-6-0x00007FFFB50E0000-0x00007FFFB525A000-memory.dmp

memory/2856-7-0x00007FFFB50E0000-0x00007FFFB525A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\856deca5

MD5 9bfdb10d8a2c44f1817d90f68d5460f6
SHA1 cc2bde49d03cd97b55915a187c1aa23f08cbf489
SHA256 a8fc48ba4970de1bd43e6ec83a0f44345b01b0593578554fd2a9cece754157ef
SHA512 f349e3299b883ca69822190195ddf00deaeb80340fb114691c35a8f8084468d59120b30d9c25d36e12dc499cf70db833b608265b987ea0feca5de29781e2b61c

memory/328-10-0x00007FFFD5760000-0x00007FFFD5969000-memory.dmp

memory/328-13-0x0000000073851000-0x000000007385F000-memory.dmp

memory/328-12-0x000000007385E000-0x0000000073860000-memory.dmp

memory/328-17-0x0000000073851000-0x000000007385F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coml.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/4684-19-0x0000000000B50000-0x000000000129C000-memory.dmp

memory/4684-21-0x00007FFFD5760000-0x00007FFFD5969000-memory.dmp

memory/4684-22-0x0000000000B50000-0x000000000129C000-memory.dmp

memory/4684-28-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\AFCFHJJECAEH\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\AFCFHJJECAEH\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\FBFCAKKKFB.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

memory/4684-112-0x0000000000B50000-0x000000000129C000-memory.dmp

memory/3028-116-0x0000000000860000-0x0000000000D73000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2fa5f2cf

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/3028-122-0x0000000071D70000-0x0000000071EED000-memory.dmp

memory/3028-123-0x00007FFFD5760000-0x00007FFFD5969000-memory.dmp

C:\ProgramData\CBFIIEHJDB.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/5096-134-0x0000000000D70000-0x0000000000FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\36db2e25

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/5096-140-0x0000000071D70000-0x0000000071EED000-memory.dmp

memory/5096-141-0x00007FFFD5760000-0x00007FFFD5969000-memory.dmp

C:\ProgramData\AFCFHJJECAEH\JJECGC

MD5 59071590099d21dd439896592338bf95
SHA1 6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c
SHA256 07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541
SHA512 eedb6cadbceb2c991fc6f68dccb80463b3f660c5358acd7d705398ae2e3df2b4327f0f6c6746486848bd2992b379776483a98063ae96edb45877bb0314874668

memory/4684-175-0x0000000000B50000-0x000000000129C000-memory.dmp

memory/4684-176-0x0000000000B50000-0x000000000129C000-memory.dmp

memory/3028-180-0x0000000071D70000-0x0000000071EED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31fa1a1d

MD5 5159a8ebeab8f6c87b27c2d57c45ab96
SHA1 eb9409a2396b51e8ec7c8b363c6085237b0001bf
SHA256 dbd302a0bf2a042ae5e648d885bc99f055e0981b3c6b4f8ff1d14017220da58f
SHA512 8296a77aec53929db2cf596d7dbad0df471530f0ff47eaba007a9222d2675578764ed61f2f9c2947526d9d2a3e3cc8035e595c3c07ead3ae394117c0cde0a61f

C:\ProgramData\AFCFHJJECAEH\CBFIIE

MD5 c8260d37073d07384063820fcd97cb1c
SHA1 25324c500695d19e4a0a0824228576a59f9abe58
SHA256 29391ff5068cfd037ed486db2fd2bc780731ca952df39377240aa4456f176560
SHA512 ffbba119b938f8227907792b8a7853daf8c8279c9f3e0f4408ddb324b21a75d093e8790efe4a7e6876b171a2cffb71022cd7a8d2f4fd1ac5b813c5aec4d6bd4b

C:\ProgramData\AFCFHJJECAEH\IJKKEH

MD5 41ac544896c59f0f47c5422e8d8cbe3c
SHA1 4fac0744d1c5eb1fb9da3b9fac67f690639c1ebc
SHA256 a46a88cd9a2318aa069993b23acf27db06f528ca5bdbebee717e25b38a5dc45a
SHA512 83ab24023f5b16bc5d549a8d934cfe9f1a79bc87f3c579992e6cf885cb9f14e2facef8b83d1af7b141fb23285d1509779da17236a587436127a9ccacedcb9e35

memory/5096-193-0x0000000071D70000-0x0000000071EED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3992bc96

MD5 6bd0a99c38fe20de81a9f78bbbe6bd95
SHA1 92cea25d38c57fd6d46ca328fe1854abc2c23805
SHA256 32312034fb74f36e9dbdba795e9c8405406db28d60201223ea6a01a180c6c3c4
SHA512 ac7d99e5b76ee731fd1e34136aae10b0cacd9d83c711633dab4da2a2e73c9effd0a51af9a2715214234f7bd6c001787e8afc17c6df9ef43f79dfcb31b0f48de8

memory/4684-198-0x0000000000B50000-0x000000000129C000-memory.dmp

memory/3796-199-0x00007FFFD5760000-0x00007FFFD5969000-memory.dmp

memory/616-200-0x00007FFFD5760000-0x00007FFFD5969000-memory.dmp

memory/3796-201-0x0000000071D70000-0x0000000071EED000-memory.dmp

C:\ProgramData\AFCFHJJECAEH\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\AFCFHJJECAEH\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\AFCFHJJECAEH\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

memory/616-216-0x0000000071D70000-0x0000000071EED000-memory.dmp

memory/3760-218-0x00007FFFB3D30000-0x00007FFFB53D0000-memory.dmp

memory/3760-222-0x0000000000400000-0x000000000040A000-memory.dmp