Malware Analysis Report

2024-09-11 16:10

Sample ID 240619-yr6xksyhnh
Target #^NeW_PcSetUp_6677_PaSṣKḕY#$.zip
SHA256 1be2dfdf4733f2403d090150a91a260967074db492b4c602c4fe873f45e3f2c5
Tags
stealc vidar xmrig discovery miner spyware stealer upx amadey ffb1b9 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1be2dfdf4733f2403d090150a91a260967074db492b4c602c4fe873f45e3f2c5

Threat Level: Known bad

The file #^NeW_PcSetUp_6677_PaSṣKḕY#$.zip was found to be: Known bad.

Malicious Activity Summary

stealc vidar xmrig discovery miner spyware stealer upx amadey ffb1b9 trojan

Vidar

Detect Vidar Stealer

Stealc

Amadey

xmrig

XMRig Miner payload

Downloads MZ/PE file

Reads data files stored by FTP clients

Reads user/profile data of web browsers

UPX packed file

Reads user/profile data of local email clients

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: MapViewOfSection

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 20:02

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 20:02

Reported

2024-06-19 20:04

Platform

win10v2004-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\AKJDGIEHCA.exe N/A
N/A N/A C:\ProgramData\JJKEBGHJKF.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3048 set thread context of 2564 N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe C:\Windows\SysWOW64\more.com
PID 4696 set thread context of 752 N/A C:\ProgramData\AKJDGIEHCA.exe C:\Windows\SysWOW64\ftp.exe
PID 796 set thread context of 2520 N/A C:\ProgramData\JJKEBGHJKF.exe C:\Windows\SysWOW64\ftp.exe
PID 2520 set thread context of 704 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 704 set thread context of 3864 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Watcher Com SH.job C:\Windows\SysWOW64\ftp.exe N/A
File created C:\Windows\Tasks\TWI Cloud Host.job C:\Windows\SysWOW64\ftp.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\ProgramData\AKJDGIEHCA.exe N/A
N/A N/A C:\ProgramData\AKJDGIEHCA.exe N/A
N/A N/A C:\ProgramData\AKJDGIEHCA.exe N/A
N/A N/A C:\ProgramData\JJKEBGHJKF.exe N/A
N/A N/A C:\ProgramData\JJKEBGHJKF.exe N/A
N/A N/A C:\ProgramData\JJKEBGHJKF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\ProgramData\AKJDGIEHCA.exe N/A
N/A N/A C:\ProgramData\JJKEBGHJKF.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe C:\Windows\SysWOW64\more.com
PID 3048 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe C:\Windows\SysWOW64\more.com
PID 3048 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe C:\Windows\SysWOW64\more.com
PID 3048 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe C:\Windows\SysWOW64\more.com
PID 2564 wrote to memory of 1436 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 2564 wrote to memory of 1436 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 2564 wrote to memory of 1436 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 2564 wrote to memory of 1436 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 2564 wrote to memory of 1436 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 1436 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\AKJDGIEHCA.exe
PID 1436 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\AKJDGIEHCA.exe
PID 1436 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\AKJDGIEHCA.exe
PID 4696 wrote to memory of 752 N/A C:\ProgramData\AKJDGIEHCA.exe C:\Windows\SysWOW64\ftp.exe
PID 4696 wrote to memory of 752 N/A C:\ProgramData\AKJDGIEHCA.exe C:\Windows\SysWOW64\ftp.exe
PID 4696 wrote to memory of 752 N/A C:\ProgramData\AKJDGIEHCA.exe C:\Windows\SysWOW64\ftp.exe
PID 1436 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\JJKEBGHJKF.exe
PID 1436 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\JJKEBGHJKF.exe
PID 1436 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\JJKEBGHJKF.exe
PID 796 wrote to memory of 2520 N/A C:\ProgramData\JJKEBGHJKF.exe C:\Windows\SysWOW64\ftp.exe
PID 796 wrote to memory of 2520 N/A C:\ProgramData\JJKEBGHJKF.exe C:\Windows\SysWOW64\ftp.exe
PID 796 wrote to memory of 2520 N/A C:\ProgramData\JJKEBGHJKF.exe C:\Windows\SysWOW64\ftp.exe
PID 4696 wrote to memory of 752 N/A C:\ProgramData\AKJDGIEHCA.exe C:\Windows\SysWOW64\ftp.exe
PID 796 wrote to memory of 2520 N/A C:\ProgramData\JJKEBGHJKF.exe C:\Windows\SysWOW64\ftp.exe
PID 1436 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2400 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2400 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2520 wrote to memory of 704 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2520 wrote to memory of 704 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 752 wrote to memory of 3724 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 752 wrote to memory of 3724 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 752 wrote to memory of 3724 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 2520 wrote to memory of 704 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2520 wrote to memory of 704 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 752 wrote to memory of 3724 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 704 wrote to memory of 3864 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 704 wrote to memory of 3864 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 704 wrote to memory of 3864 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 704 wrote to memory of 3864 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 704 wrote to memory of 3864 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 704 wrote to memory of 3864 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 704 wrote to memory of 3864 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Processes

C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4696,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4184 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\CUF.au3

C:\Users\Admin\AppData\Local\Temp\CUF.au3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2972,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=2380 /prefetch:3

C:\ProgramData\AKJDGIEHCA.exe

"C:\ProgramData\AKJDGIEHCA.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\ProgramData\JJKEBGHJKF.exe

"C:\ProgramData\JJKEBGHJKF.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JJJDGIECFCAK" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 poocoin.online udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 18.53.55.162.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 businessdownloads.ltd udp
US 104.21.16.123:443 businessdownloads.ltd tcp
US 8.8.8.8:53 123.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 i.imgur.com udp
US 199.232.196.193:443 i.imgur.com tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 193.196.232.199.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
FI 135.181.22.88:80 135.181.22.88 tcp
US 8.8.8.8:53 88.22.181.135.in-addr.arpa udp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
US 8.8.8.8:53 proresupdate.com udp
US 45.152.112.146:80 proresupdate.com tcp
US 8.8.8.8:53 146.112.152.45.in-addr.arpa udp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp

Files

memory/3048-0-0x0000000073FF0000-0x000000007416B000-memory.dmp

memory/3048-1-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp

memory/3048-5-0x0000000074002000-0x0000000074004000-memory.dmp

memory/3048-6-0x0000000073FF0000-0x000000007416B000-memory.dmp

memory/3048-7-0x0000000073FF0000-0x000000007416B000-memory.dmp

memory/2564-9-0x0000000073FF0000-0x000000007416B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c0d4db27

MD5 d45b8a35b261dc6fa1c51ed47a638600
SHA1 695c0daac3e85fdfb9ec03bbfc07750506c39033
SHA256 30fd4b28b81767cc4f28ee83f757e272c80434af3f6b3235db88f3998cfc5a1a
SHA512 20b2ccbbc8b4019a785b0bb2d3e638483beed48cf5c52677da93a1cbb3b9e2998b3def9112fcea8d542b01b1b42ef079d608b0a9c0a4dc4cb6432d3826166293

memory/2564-11-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp

memory/2564-13-0x0000000073FF0000-0x000000007416B000-memory.dmp

memory/2564-15-0x0000000073FF0000-0x000000007416B000-memory.dmp

memory/2564-19-0x0000000073FF0000-0x000000007416B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CUF.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1436-21-0x0000000001400000-0x0000000001B4B000-memory.dmp

memory/1436-23-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp

memory/1436-26-0x0000000001400000-0x0000000001B4B000-memory.dmp

memory/1436-27-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\ProgramData\JJJDGIECFCAK\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\JJJDGIECFCAK\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\AKJDGIEHCA.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

memory/4696-120-0x0000000000E40000-0x0000000001353000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\970151fc

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/4696-126-0x0000000072420000-0x000000007259B000-memory.dmp

memory/4696-127-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp

C:\ProgramData\JJKEBGHJKF.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/796-138-0x0000000000390000-0x00000000005D8000-memory.dmp

memory/796-144-0x0000000072420000-0x000000007259B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9bb57e90

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/796-145-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp

memory/1436-149-0x0000000001400000-0x0000000001B4B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\803d01b3-4ac3-4eb9-b6e3-e6a33013db07.tmp

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

memory/1436-155-0x0000000001400000-0x0000000001B4B000-memory.dmp

memory/4696-156-0x0000000072420000-0x000000007259B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\98f5192b

MD5 90f6f139befd8733f670d37ba0d2d697
SHA1 b2d396b2934a438f2b074378769a814e1a1a6c07
SHA256 872342c6f029de8e827eb9e34ccc9bf099dd2f6b47ffa45d955a0207cbc3116d
SHA512 261414278106f34a5db12554ac96f9b24ab57690fad796e7e5161b52dc65bd45bbc3493814d9ac4c1ec920abe0150e11607d409ceaca39914b434da198f824d0

memory/1436-159-0x0000000001400000-0x0000000001B4B000-memory.dmp

memory/796-160-0x0000000072420000-0x000000007259B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a00b8943

MD5 8f9f817e95b37e6359a9153cd650178c
SHA1 10b208cbfb7495d29caaa8ba7749e11f6c673020
SHA256 303741d38a281cf89df8fd67f9929fb81b39fd490adb9e5b4051ebc4b3c25f7b
SHA512 cf26ba6f5fc825d20b83ed001a2fb27b59f807bb22764ff0cb25f60d59a11d368b9fc6f0b6b1a43a05bb4d622c58f53fb6e967b81e13785e7b3667430d53c95c

memory/752-178-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp

memory/2520-187-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp

memory/1436-188-0x0000000001400000-0x0000000001B4B000-memory.dmp

memory/2520-190-0x0000000072420000-0x000000007259B000-memory.dmp

C:\ProgramData\JJJDGIECFCAK\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\JJJDGIECFCAK\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\JJJDGIECFCAK\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

memory/2520-204-0x0000000072420000-0x000000007259B000-memory.dmp

memory/704-207-0x00007FFB3DC30000-0x00007FFB3F2A7000-memory.dmp

memory/704-211-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3724-214-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp

memory/3864-216-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/3864-218-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/3864-220-0x0000018AEA130000-0x0000018AEA150000-memory.dmp

memory/3864-219-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/3864-221-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/3864-223-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/3864-224-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/3864-222-0x0000000140000000-0x00000001407DC000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-19 20:02

Reported

2024-06-19 20:04

Platform

win11-20240611-en

Max time kernel

114s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe"

Signatures

Amadey

trojan amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\KFCFBFHIEB.exe N/A
N/A N/A C:\ProgramData\AFBAKKFCBF.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4296 set thread context of 4560 N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe C:\Windows\SysWOW64\more.com
PID 1728 set thread context of 5112 N/A C:\ProgramData\AFBAKKFCBF.exe C:\Windows\SysWOW64\ftp.exe
PID 1756 set thread context of 4992 N/A C:\ProgramData\KFCFBFHIEB.exe C:\Windows\SysWOW64\ftp.exe
PID 5112 set thread context of 4276 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4276 set thread context of 1284 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Watcher Com SH.job C:\Windows\SysWOW64\ftp.exe N/A
File created C:\Windows\Tasks\TWI Cloud Host.job C:\Windows\SysWOW64\ftp.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\ProgramData\AFBAKKFCBF.exe N/A
N/A N/A C:\ProgramData\KFCFBFHIEB.exe N/A
N/A N/A C:\ProgramData\AFBAKKFCBF.exe N/A
N/A N/A C:\ProgramData\KFCFBFHIEB.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\ProgramData\AFBAKKFCBF.exe N/A
N/A N/A C:\ProgramData\KFCFBFHIEB.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4296 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe C:\Windows\SysWOW64\more.com
PID 4296 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe C:\Windows\SysWOW64\more.com
PID 4296 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe C:\Windows\SysWOW64\more.com
PID 4296 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe C:\Windows\SysWOW64\more.com
PID 4560 wrote to memory of 1864 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 4560 wrote to memory of 1864 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 4560 wrote to memory of 1864 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 4560 wrote to memory of 1864 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 4560 wrote to memory of 1864 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 1864 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\KFCFBFHIEB.exe
PID 1864 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\KFCFBFHIEB.exe
PID 1864 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\KFCFBFHIEB.exe
PID 1864 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\AFBAKKFCBF.exe
PID 1864 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\AFBAKKFCBF.exe
PID 1864 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\AFBAKKFCBF.exe
PID 1728 wrote to memory of 5112 N/A C:\ProgramData\AFBAKKFCBF.exe C:\Windows\SysWOW64\ftp.exe
PID 1728 wrote to memory of 5112 N/A C:\ProgramData\AFBAKKFCBF.exe C:\Windows\SysWOW64\ftp.exe
PID 1728 wrote to memory of 5112 N/A C:\ProgramData\AFBAKKFCBF.exe C:\Windows\SysWOW64\ftp.exe
PID 1756 wrote to memory of 4992 N/A C:\ProgramData\KFCFBFHIEB.exe C:\Windows\SysWOW64\ftp.exe
PID 1756 wrote to memory of 4992 N/A C:\ProgramData\KFCFBFHIEB.exe C:\Windows\SysWOW64\ftp.exe
PID 1756 wrote to memory of 4992 N/A C:\ProgramData\KFCFBFHIEB.exe C:\Windows\SysWOW64\ftp.exe
PID 1728 wrote to memory of 5112 N/A C:\ProgramData\AFBAKKFCBF.exe C:\Windows\SysWOW64\ftp.exe
PID 1756 wrote to memory of 4992 N/A C:\ProgramData\KFCFBFHIEB.exe C:\Windows\SysWOW64\ftp.exe
PID 4992 wrote to memory of 4828 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 4992 wrote to memory of 4828 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 4992 wrote to memory of 4828 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 1864 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2060 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2060 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 5112 wrote to memory of 4276 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 5112 wrote to memory of 4276 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4992 wrote to memory of 4828 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 5112 wrote to memory of 4276 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 5112 wrote to memory of 4276 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4276 wrote to memory of 1284 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4276 wrote to memory of 1284 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4276 wrote to memory of 1284 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4276 wrote to memory of 1284 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4276 wrote to memory of 1284 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4276 wrote to memory of 1284 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4276 wrote to memory of 1284 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Processes

C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\CUF.au3

C:\Users\Admin\AppData\Local\Temp\CUF.au3

C:\ProgramData\KFCFBFHIEB.exe

"C:\ProgramData\KFCFBFHIEB.exe"

C:\ProgramData\AFBAKKFCBF.exe

"C:\ProgramData\AFBAKKFCBF.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KECFCGHIDHCA" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl

Network

Country Destination Domain Proto
US 8.8.8.8:53 poocoin.online udp
NL 149.154.167.99:443 t.me tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 18.53.55.162.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 172.67.212.123:443 businessdownloads.ltd tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 199.232.196.193:443 i.imgur.com tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
FI 135.181.22.88:80 135.181.22.88 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
US 45.152.112.146:80 proresupdate.com tcp

Files

memory/4296-0-0x0000000073E80000-0x0000000073FFD000-memory.dmp

memory/4296-1-0x00007FFA40AC0000-0x00007FFA40CC9000-memory.dmp

memory/4296-5-0x0000000073E92000-0x0000000073E94000-memory.dmp

memory/4296-6-0x0000000073E80000-0x0000000073FFD000-memory.dmp

memory/4296-7-0x0000000073E80000-0x0000000073FFD000-memory.dmp

memory/4560-10-0x0000000073E80000-0x0000000073FFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9290e493

MD5 503d2663d1e36b4023acfb06e7ac5a97
SHA1 6e677715e76dcd753dbf3af485510a48d0f34e22
SHA256 03c893292e7bfab9df2becb96ac5ff43f04cf94138a030270ae4c027b557835f
SHA512 78c84a3a93c39cbb88f1c2ed071b39a3dbf8d760c7d15a12d4a5c19c5003773ec3f4d5395a2f550cef68ede3fa48016d367719ef27d049580c9cad7e6f69719c

memory/4560-11-0x00007FFA40AC0000-0x00007FFA40CC9000-memory.dmp

memory/4560-14-0x0000000073E80000-0x0000000073FFD000-memory.dmp

memory/4560-13-0x0000000073E80000-0x0000000073FFD000-memory.dmp

memory/4560-19-0x0000000073E80000-0x0000000073FFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CUF.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1864-22-0x0000000000ED0000-0x000000000161B000-memory.dmp

memory/1864-23-0x00007FFA40AC0000-0x00007FFA40CC9000-memory.dmp

memory/1864-28-0x0000000000ED0000-0x000000000161B000-memory.dmp

memory/1864-29-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\KECFCGHIDHCA\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\KECFCGHIDHCA\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\KFCFBFHIEB.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

C:\ProgramData\AFBAKKFCBF.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/1728-127-0x0000000000A00000-0x0000000000C48000-memory.dmp

memory/1756-125-0x0000000000BD0000-0x00000000010E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8e4b2180

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/1728-137-0x0000000072060000-0x00000000721DD000-memory.dmp

memory/1728-138-0x00007FFA40AC0000-0x00007FFA40CC9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\97ab4f0d

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/1756-140-0x0000000072060000-0x00000000721DD000-memory.dmp

memory/1756-141-0x00007FFA40AC0000-0x00007FFA40CC9000-memory.dmp

memory/1864-142-0x0000000000ED0000-0x000000000161B000-memory.dmp

C:\ProgramData\KECFCGHIDHCA\CBAEHC

MD5 59071590099d21dd439896592338bf95
SHA1 6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c
SHA256 07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541
SHA512 eedb6cadbceb2c991fc6f68dccb80463b3f660c5358acd7d705398ae2e3df2b4327f0f6c6746486848bd2992b379776483a98063ae96edb45877bb0314874668

memory/1864-182-0x0000000000ED0000-0x000000000161B000-memory.dmp

memory/1864-183-0x0000000000ED0000-0x000000000161B000-memory.dmp

memory/1728-184-0x0000000072060000-0x00000000721DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9b96f8d7

MD5 485cee082061feae02f95383a0c33d18
SHA1 ed95cad44549bbdc0b48f784f07118e313858182
SHA256 ca1af2a4aed478ee48a52f754e7c6dbf7e5bb2a4ef35c868c6deee008cc00653
SHA512 646e95ef60f348b7aa46048ca9f9802b09d609ebeeb479a11243be9edcf0d4a3d0d96e57ae55fb235992d8acb206857a1b38bba2eacd7a8de5369e1fed216884

memory/1756-187-0x0000000072060000-0x00000000721DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9ee6682e

MD5 6d2907ff95b81b0f4b3fb922d55449c8
SHA1 e5a97978727cba76c4edac9ed6c304c069977a6d
SHA256 45ac01fee96c41e2a3c653c8b440201c4eca5a486e93c85cbba9cf98a3b6303b
SHA512 1fc4248ead73b3e4ffbdc89a88587118d33ba9bc2f7f1a477f704a431c0b62fa57e46055a90d8c2992ca2ba0c6357b9cc359e19b431199e33eb9debf2abe2689

memory/5112-190-0x00007FFA40AC0000-0x00007FFA40CC9000-memory.dmp

memory/4992-191-0x00007FFA40AC0000-0x00007FFA40CC9000-memory.dmp

memory/1864-192-0x0000000000ED0000-0x000000000161B000-memory.dmp

memory/4992-193-0x0000000072060000-0x00000000721DD000-memory.dmp

C:\ProgramData\KECFCGHIDHCA\DHIJDH

MD5 41ac544896c59f0f47c5422e8d8cbe3c
SHA1 4fac0744d1c5eb1fb9da3b9fac67f690639c1ebc
SHA256 a46a88cd9a2318aa069993b23acf27db06f528ca5bdbebee717e25b38a5dc45a
SHA512 83ab24023f5b16bc5d549a8d934cfe9f1a79bc87f3c579992e6cf885cb9f14e2facef8b83d1af7b141fb23285d1509779da17236a587436127a9ccacedcb9e35

C:\ProgramData\KECFCGHIDHCA\FCBFBG

MD5 c8260d37073d07384063820fcd97cb1c
SHA1 25324c500695d19e4a0a0824228576a59f9abe58
SHA256 29391ff5068cfd037ed486db2fd2bc780731ca952df39377240aa4456f176560
SHA512 ffbba119b938f8227907792b8a7853daf8c8279c9f3e0f4408ddb324b21a75d093e8790efe4a7e6876b171a2cffb71022cd7a8d2f4fd1ac5b813c5aec4d6bd4b

memory/4992-221-0x0000000072060000-0x00000000721DD000-memory.dmp

memory/1864-224-0x0000000000ED0000-0x000000000161B000-memory.dmp

memory/1864-227-0x0000000000ED0000-0x000000000161B000-memory.dmp

memory/4276-231-0x00007FFA1F090000-0x00007FFA20730000-memory.dmp

memory/4276-234-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4828-235-0x00007FFA40AC0000-0x00007FFA40CC9000-memory.dmp

memory/4828-236-0x0000000000850000-0x00000000008C1000-memory.dmp

C:\ProgramData\KECFCGHIDHCA\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\KECFCGHIDHCA\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\KECFCGHIDHCA\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

memory/1284-245-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/1284-249-0x0000015DB23A0000-0x0000015DB23C0000-memory.dmp

memory/1284-248-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/1284-247-0x0000000140000000-0x00000001407DC000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 20:02

Reported

2024-06-19 20:04

Platform

win7-20240508-en

Max time kernel

117s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2208 set thread context of 2416 N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe C:\Windows\SysWOW64\more.com

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\CUF.au3

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe C:\Windows\SysWOW64\more.com
PID 2208 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe C:\Windows\SysWOW64\more.com
PID 2208 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe C:\Windows\SysWOW64\more.com
PID 2208 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe C:\Windows\SysWOW64\more.com
PID 2208 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe C:\Windows\SysWOW64\more.com
PID 2416 wrote to memory of 2692 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 2416 wrote to memory of 2692 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 2416 wrote to memory of 2692 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 2416 wrote to memory of 2692 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 2416 wrote to memory of 2692 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 2416 wrote to memory of 2692 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 2692 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2692 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2692 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2692 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\#^NeW_PcSetUp_6677_PaS_K_Y#$\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\CUF.au3

C:\Users\Admin\AppData\Local\Temp\CUF.au3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 148

Network

N/A

Files

memory/2208-0-0x0000000074D90000-0x0000000074F04000-memory.dmp

memory/2208-1-0x0000000077AA0000-0x0000000077C49000-memory.dmp

memory/2208-5-0x0000000074DA2000-0x0000000074DA4000-memory.dmp

memory/2208-6-0x0000000074D90000-0x0000000074F04000-memory.dmp

memory/2208-7-0x0000000074D90000-0x0000000074F04000-memory.dmp

memory/2416-9-0x0000000074D90000-0x0000000074F04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a906ed9b

MD5 a14e54b97fbb6bfc4e06ff7b1dea9905
SHA1 90ebe40780de6344e160ef10ada0384560579db1
SHA256 5a6e9fe5c6948ac5b83760dc3a5cbd0f6fe4d36465ea5eb8c3ed012062c7023c
SHA512 920419c674a73709390742523bc398a13fc13dbeb28a262ee86cd13e09a00074e96032ec969b1e42f8ec80f393df6fd7fe17e0e0518ee1dcfa6d3b0684fbd683

memory/2416-11-0x0000000077AA0000-0x0000000077C49000-memory.dmp

memory/2416-13-0x0000000074D90000-0x0000000074F04000-memory.dmp

memory/2416-16-0x0000000074D90000-0x0000000074F04000-memory.dmp

\Users\Admin\AppData\Local\Temp\CUF.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2692-20-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2692-19-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2416-21-0x0000000074D90000-0x0000000074F04000-memory.dmp

memory/2692-23-0x0000000000BF0000-0x000000000133B000-memory.dmp

memory/2692-32-0x0000000000BF0000-0x000000000133B000-memory.dmp