File name:	dfd.exe
Full analysis:	https://app.any.run/tasks/a7d84a43-06b0-4fd3-971e-dca3f7956019
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 01, 2024, 12:14:14
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer lua
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (console) x86-64, for MS Windows
MD5:	57C4141D31F6F44A058EDCD91D67420A
SHA1:	72524C020E50CCB46F5629E0A102E04BD72C366A
SHA256:	56FFB100723C3E6466BC002D9A928E37E0F1FBDC766DBFBBD0EB8721E2FA68B1
SSDEEP:	12288:OktCvYqB7nw2efvpyL8YA0Ol9uj4ZU7S96J:OmCTB7nwt4L839YJS96

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2024:05:21 09:43:32+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.35
CodeSize:	354304
InitializedDataSize:	108032
UninitializedDataSize:	-
EntryPoint:	0x56f0c
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line
FileVersionNumber:	1.8.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
Comments:	LuaRT - Windows programming framework for Lua
CompanyName:	https:\www.luart.org
FileVersion:	5 ,4 ,6
InternalName:	LuaRT
LegalCopyright:	Copyright (C) Samir Tine 2024
ProductName:	LuaRT
ProductVersion:	5 ,4 ,6


(PID) Process:	(4732) SearchApp.exe	Key:	\REGISTRY\A\{466c8b5b-39d6-e601-204c-f50e054366b7}\2814751015243726\281535107058273\CortanaUI\44a65413067acd61cb60e74ea5537a73
Operation:	write	Name:	SnapshotCaptured
Value: 0
(PID) Process:	(2588) WerFault.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
Operation:	delete value	Name:	DeviceTicket
Value:
(PID) Process:	(2588) WerFault.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
Operation:	delete value	Name:	0018BFFFB20EAB97
Value:
(PID) Process:	(6524) SearchApp.exe	Key:	\REGISTRY\A\{aeab3849-d949-deae-4086-699d2e170df0}\LocalState
Operation:	write	Name:	ShouldShowCombinedConsent
Value: 01CEDAAF8168FCDA01
(PID) Process:	(6524) SearchApp.exe	Key:	\REGISTRY\A\{aeab3849-d949-deae-4086-699d2e170df0}\LocalState
Operation:	write	Name:	ShouldUnregisterAllBackgroundTasks
Value: 01CEDAAF8168FCDA01
(PID) Process:	(6524) SearchApp.exe	Key:	\REGISTRY\A\{aeab3849-d949-deae-4086-699d2e170df0}\LocalState
Operation:	write	Name:	CortanaCapabilities
Value: 00000000CEDAAF8168FCDA01
(PID) Process:	(6524) SearchApp.exe	Key:	\REGISTRY\A\{aeab3849-d949-deae-4086-699d2e170df0}\LocalState
Operation:	write	Name:	RPSServerBing
Value: 63006F007200740061006E0061002E00620069006E0067002E0063006F006D000000CEDAAF8168FCDA01
(PID) Process:	(6524) SearchApp.exe	Key:	\REGISTRY\A\{aeab3849-d949-deae-4086-699d2e170df0}\LocalState
Operation:	write	Name:	RPSServerLive
Value: 730073006C002E006C006900760065002E0063006F006D000000CEDAAF8168FCDA01
(PID) Process:	(6524) SearchApp.exe	Key:	\REGISTRY\A\{aeab3849-d949-deae-4086-699d2e170df0}\LocalState\OnlineServices
Operation:	write	Name:	UseTestServer
Value: 00000000CEDAAF8168FCDA01
(PID) Process:	(6524) SearchApp.exe	Key:	\REGISTRY\A\{aeab3849-d949-deae-4086-699d2e170df0}\LocalState\OnlineServices\Providers\RulesRequest
Operation:	write	Name:	Id
Value: 1E000000CEDAAF8168FCDA01

PID	Process	Filename		Type
2588	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Microsoft.Window_e017d26da44618d4691adad6f68d2ddc5a28f1_ce03743e_ba8c4370-88c7-42fc-8f9e-3e947271cda8\Report.wer		—
		MD5:—	SHA256:—
6524	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\1\C__WINDOWS_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_2[1].txt		html
		MD5:90DA839863E06376BD346A727C3932B7	SHA256:A81380FD22FE48E47D5EB3CCB5F8049F5575406F9AE077797A20FF8DCF83099F
2588	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9A2.tmp.WERInternalMetadata.xml		xml
		MD5:197FCFD243E5FD21DF6E96F05351E7EF	SHA256:89F7355594D525702F48BC98278A4EBE676F254ED0E17E6CF6F6D8A99952C00B
2588	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9D2.tmp.xml		xml
		MD5:A9C9DC9D18A9DA3832C6905F208ED4C8	SHA256:E0B4018EB0BA9F0C28473EB5822898537F58CB49242BD595B68B4909E576ED6D
2588	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7EC.tmp.dmp		dmp
		MD5:96DB981B91354FE124D3BC0781D6DCD1	SHA256:98717E91E94052EAC9E3620368DC9CCD154FC5A329022FD6255E4C3B16061C46
6524	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\1\C__WINDOWS_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_7[1].txt		text
		MD5:8817AF94A25B77C2E850DD1EEBCE57F0	SHA256:3BDDA8E5513855AC72A60E0E214EE102AC9CE09582FB957D646DF2A4AD522DAD
6524	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\1\C__WINDOWS_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_4[1].txt		text
		MD5:415B772FEE80A3FEA756426C98E6A885	SHA256:4077CB2E3513022C83D892AAB61FB42A36CF6E2FD72A7D8F234FCF609213C262
6524	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\1\C__WINDOWS_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_3[1].txt		text
		MD5:EE06188893F22EEC98577A9DB538EB92	SHA256:F12B6F92A4DFC7DEA83DC9025729C95A4169692D3A387A75B613A55B9405463F
6524	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\1\C__WINDOWS_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_11[1].txt		text
		MD5:0D001644C52F485D90450CFB61144CBB	SHA256:913535986852594D7AD04A34E64BD032467D8D45B8D3083F98B186C047AFB404
6524	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\1\C__WINDOWS_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_15[1].txt		text
		MD5:238D4EE548F37C1CC932E8629629E2A6	SHA256:D151BFFB1227AF8264F1AC5E3DB1812C40C726383636FF7DF3CE1A6D61596B1E

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	—	184.86.251.9:443	https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init	unknown	—	—	unknown
—	—	GET	200	184.86.251.7:443	https://r.bing.com/rb/16/jnc,nj/4bnLx4S3ZRMpYV30k3R5vRy8JVg.js?bu=DygxeIQBiQGMAYEBe37EAccBMbcBMcoB&or=w	unknown	s	21.4 Kb	unknown
—	—	POST	204	184.86.251.9:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	unknown
—	—	GET	200	184.86.251.27:443	https://www.bing.com/manifest/threshold.appcache	unknown	text	3.36 Kb	unknown
—	—	GET	200	184.86.251.22:443	https://r.bing.com/rb/19/cir3,ortl,cc,nc/CYGXBN1kkA_ojDY5vKbCoG4Zy0E.css?bu=C6QJlgOrBIAK5QjPCN4GXV1dXQ&or=w	unknown	text	19.9 Kb	unknown
—	—	GET	200	184.86.251.7:443	https://r.bing.com/rb/3D/ortl,cc,nc/4-xJy3tX6bM2BGl5zKioiEcQ1TU.css?bu=A4gCjAKPAg&or=w	unknown	text	15.5 Kb	unknown
—	—	GET	200	184.86.251.27:443	https://r.bing.com/rb/19/cir3,ortl,cc,nc/oT6Um3bDKq3bSDJ4e0e-YJ5MXCI.css?bu=B74CSK0CiwFdXcoC&or=w	unknown	text	5.88 Kb	unknown
—	—	POST	204	184.86.251.9:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	unknown
—	—	GET	200	184.86.251.7:443	https://r.bing.com/rb/16/jnc,nj/4bnLx4S3ZRMpYV30k3R5vRy8JVg.js?bu=DygxeIQBiQGMAYEBe37EAccBMbcBMcoB&or=w	unknown	text	21.4 Kb	unknown
—	—	GET	200	184.86.251.22:443	https://www.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DyIrb3t-gQF4cnWyAbUBK6UBK7gB&or=w	unknown	s	21.3 Kb	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
568	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6248	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
568	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4324	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2588	WerFault.exe	52.168.117.173:443	watson.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
google.com	142.250.184.238	whitelisted
watson.events.data.microsoft.com	52.168.117.173	whitelisted
www.bing.com	184.86.251.27 184.86.251.7 184.86.251.22 184.86.251.9	whitelisted
r.bing.com	2.23.209.135 2.23.209.187 2.23.209.143 2.23.209.130 2.23.209.185 2.23.209.133 2.23.209.189 2.23.209.140 2.23.209.149	whitelisted

General Info

dfd.exe

57C4141D31F6F44A058EDCD91D67420A

72524C020E50CCB46F5629E0A102E04BD72C366A

56FFB100723C3E6466BC002D9A928E37E0F1FBDC766DBFBBD0EB8721E2FA68B1

12288:OktCvYqB7nw2efvpyL8YA0Ol9uj4ZU7S96J:OmCTB7nwt4L839YJS96

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Steals credentials from Web Browsers

SUSPICIOUS

Starts CMD.EXE for commands execution

Executes application which crashes

The process deletes folder without confirmation

Reads the date of Windows installation

INFO

Checks supported languages

Reads the machine GUID from the registry

Creates files or folders in the user directory

Reads the computer name

Checks proxy server information

Reads the software policy settings

Process checks computer location settings

Manual execution by a user

Process checks Internet Explorer phishing filters

Reads Environment values

The process uses lua

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings