Malware Analysis Report

2024-11-16 13:49

Sample ID 240628-r21pzsvbra
Target !!fUlLSetup_3355_P@ssKeys!!.zip
SHA256 e3f61f01d319d83d17da2eca4a7c2b04aa51bdf84ec780f80be7698bdfded535
Tags
stealc vidar stealer discovery spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e3f61f01d319d83d17da2eca4a7c2b04aa51bdf84ec780f80be7698bdfded535

Threat Level: Known bad

The file !!fUlLSetup_3355_P@ssKeys!!.zip was found to be: Known bad.

Malicious Activity Summary

stealc vidar stealer discovery spyware

Stealc

Vidar

Detect Vidar Stealer

Downloads MZ/PE file

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 14:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 14:42

Reported

2024-06-28 14:46

Platform

win7-20240508-en

Max time kernel

148s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1956 set thread context of 2936 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\VIDA.au3

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 1956 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 1956 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 1956 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 1956 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 2936 wrote to memory of 2624 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2936 wrote to memory of 2624 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2936 wrote to memory of 2624 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2936 wrote to memory of 2624 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2936 wrote to memory of 2624 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2936 wrote to memory of 2624 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2624 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2624 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2624 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2624 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2936 wrote to memory of 2624 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3

Processes

C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 148

Network

N/A

Files

memory/1956-0-0x0000000000310000-0x0000000000311000-memory.dmp

memory/1956-1-0x0000000000400000-0x0000000000B60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b3c82acb

MD5 e9036df928c31d7ba3f8ed63275a9dc2
SHA1 d1effabbdb38682cf73f6ddb5f0170112efe6381
SHA256 f2516f2ea49297ceb88651eec0815035cf3961543891571f62a013df3a3400b2
SHA512 841cfceda5f9cbbb2689e158918c3c44071928ef6c96f20651b8aeae1211c423a8ff6fd3f4d50b7e9ce01b1cc12bcb020cbe941430376c991521c93ca49afe6d

memory/1956-7-0x000007FEF6620000-0x000007FEF6778000-memory.dmp

memory/1956-8-0x000007FEF6638000-0x000007FEF6639000-memory.dmp

memory/1956-9-0x000007FEF6620000-0x000007FEF6778000-memory.dmp

memory/1956-10-0x000007FEF6620000-0x000007FEF6778000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b63d3191

MD5 53c3098b69b106023eb0896db785b80b
SHA1 459953e42f06fabd4811e09e3dada77bafc06b1c
SHA256 49d6dd51b2163c7b3ea5292722eb0c291c1cc5b5b81ec171b1110d06f2cffb64
SHA512 dd2332eac5c822d8a9de828e05bd7a856d6527e40dca7a6b92113c6e32ae9541801c96d3cc55632a9f2bff100b3a1758840522626079f45dafbacd40ad8fa980

memory/2936-14-0x0000000076EC0000-0x0000000077069000-memory.dmp

memory/2936-16-0x0000000074850000-0x00000000749C4000-memory.dmp

memory/2936-18-0x0000000074850000-0x00000000749C4000-memory.dmp

memory/2936-17-0x000000007485E000-0x0000000074860000-memory.dmp

\Users\Admin\AppData\Local\Temp\VIDA.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2624-24-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2624-23-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2936-25-0x0000000074850000-0x00000000749C4000-memory.dmp

memory/2624-28-0x00000000004D0000-0x0000000000719000-memory.dmp

memory/2624-34-0x00000000004D0000-0x0000000000719000-memory.dmp

memory/2936-36-0x000000007485E000-0x0000000074860000-memory.dmp

memory/2624-37-0x00000000004D0000-0x0000000000719000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 14:42

Reported

2024-06-28 14:46

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3192 set thread context of 1548 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3156 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:3

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 95.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
US 8.8.8.8:53 214.251.201.195.in-addr.arpa udp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
US 8.8.8.8:53 professionalresources.pw udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

memory/3192-0-0x0000000002780000-0x0000000002781000-memory.dmp

memory/3192-1-0x0000000000400000-0x0000000000B60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\34f9922c

MD5 e9036df928c31d7ba3f8ed63275a9dc2
SHA1 d1effabbdb38682cf73f6ddb5f0170112efe6381
SHA256 f2516f2ea49297ceb88651eec0815035cf3961543891571f62a013df3a3400b2
SHA512 841cfceda5f9cbbb2689e158918c3c44071928ef6c96f20651b8aeae1211c423a8ff6fd3f4d50b7e9ce01b1cc12bcb020cbe941430376c991521c93ca49afe6d

memory/3192-7-0x00007FF9EAE00000-0x00007FF9EAF72000-memory.dmp

memory/3192-9-0x00007FF9EAE18000-0x00007FF9EAE19000-memory.dmp

memory/3192-10-0x00007FF9EAE00000-0x00007FF9EAF72000-memory.dmp

memory/3192-11-0x00007FF9EAE00000-0x00007FF9EAF72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\361f8f88

MD5 949ee647efc29dcadecd70c74afa5323
SHA1 c0209bff432dba243bb0e17169849e05bfaabbc8
SHA256 d67b816d427bcf133d33002b2029cfe371e91d4c96d88c59a476406505f36b77
SHA512 40f64129420e69e2f87110b1fa5ced16b6ea4cb0ad495ec285107c59a9ca5ce390c3563c197d7d81a41745d00e0237b1195b08c0ed858c8ba847a0b96858c2f0

memory/1548-15-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

memory/1548-18-0x00000000756DE000-0x00000000756E0000-memory.dmp

memory/1548-17-0x00000000756D0000-0x000000007584B000-memory.dmp

memory/1548-19-0x00000000756D0000-0x000000007584B000-memory.dmp

memory/1548-24-0x00000000756D0000-0x000000007584B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1784-26-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmp

memory/1784-27-0x00000000004F0000-0x0000000000739000-memory.dmp

memory/1784-40-0x00000000263A0000-0x00000000265FF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/1548-87-0x00000000756DE000-0x00000000756E0000-memory.dmp

memory/1784-86-0x00000000004F0000-0x0000000000739000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

memory/1784-94-0x00000000004F0000-0x0000000000739000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-28 14:42

Reported

2024-06-28 14:46

Platform

win11-20240508-en

Max time kernel

144s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4984 set thread context of 3992 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4984 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 4984 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 4984 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 4984 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 3992 wrote to memory of 1568 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 3992 wrote to memory of 1568 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 3992 wrote to memory of 1568 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 3992 wrote to memory of 1568 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 3992 wrote to memory of 1568 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 3992 wrote to memory of 1568 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 1568 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 5096 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 5096 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\VIDA.au3" & rd /s /q "C:\ProgramData\HJJECBKKECFI" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 tea.arpdabl.org udp

Files

memory/4984-0-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/4984-1-0x0000000000400000-0x0000000000B60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d454adad

MD5 e9036df928c31d7ba3f8ed63275a9dc2
SHA1 d1effabbdb38682cf73f6ddb5f0170112efe6381
SHA256 f2516f2ea49297ceb88651eec0815035cf3961543891571f62a013df3a3400b2
SHA512 841cfceda5f9cbbb2689e158918c3c44071928ef6c96f20651b8aeae1211c423a8ff6fd3f4d50b7e9ce01b1cc12bcb020cbe941430376c991521c93ca49afe6d

memory/4984-7-0x00007FFD1A2D0000-0x00007FFD1A44A000-memory.dmp

memory/4984-8-0x00007FFD1A2E8000-0x00007FFD1A2E9000-memory.dmp

memory/4984-9-0x00007FFD1A2D0000-0x00007FFD1A44A000-memory.dmp

memory/4984-10-0x00007FFD1A2D0000-0x00007FFD1A44A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d6d59b79

MD5 dc10504c9249cd00f504ca33d70b243d
SHA1 3f14ec60cddcd57d9d7a04852b2bfb358e6f4f64
SHA256 1b6a9ad1100a6694bc4742ab4d3843236f429215fabefdb61151e76247f6efcf
SHA512 02227223e145782118f070a8fd40298b2b45b993507d3566c422ea8f360328458ae1ae8b4fe38d691b76c0d1a6c1a1f979716dab822b4c6c58f9713639a726fc

memory/3992-14-0x00007FFD29240000-0x00007FFD29449000-memory.dmp

memory/3992-16-0x0000000075A10000-0x0000000075B8D000-memory.dmp

memory/3992-17-0x0000000075A1E000-0x0000000075A20000-memory.dmp

memory/3992-19-0x0000000075A10000-0x0000000075B8D000-memory.dmp

memory/3992-23-0x0000000075A10000-0x0000000075B8D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1568-25-0x0000000000C40000-0x0000000000E89000-memory.dmp

memory/1568-27-0x00007FFD29240000-0x00007FFD29449000-memory.dmp

memory/1568-28-0x0000000000C40000-0x0000000000E89000-memory.dmp

memory/1568-29-0x0000000000C40000-0x0000000000E89000-memory.dmp

memory/3992-30-0x0000000075A1E000-0x0000000075A20000-memory.dmp

memory/1568-31-0x0000000000C40000-0x0000000000E89000-memory.dmp

memory/1568-32-0x0000000000C40000-0x0000000000E89000-memory.dmp