File name:	dfd.exe
Full analysis:	https://app.any.run/tasks/a7d84a43-06b0-4fd3-971e-dca3f7956019
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 01, 2024, 12:14:14
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer lua
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (console) x86-64, for MS Windows
MD5:	57C4141D31F6F44A058EDCD91D67420A
SHA1:	72524C020E50CCB46F5629E0A102E04BD72C366A
SHA256:	56FFB100723C3E6466BC002D9A928E37E0F1FBDC766DBFBBD0EB8721E2FA68B1
SSDEEP:	12288:OktCvYqB7nw2efvpyL8YA0Ol9uj4ZU7S96J:OmCTB7nwt4L839YJS96

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2024:05:21 09:43:32+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.35
CodeSize:	354304
InitializedDataSize:	108032
UninitializedDataSize:	-
EntryPoint:	0x56f0c
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line
FileVersionNumber:	1.8.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
Comments:	LuaRT - Windows programming framework for Lua
CompanyName:	https:\www.luart.org
FileVersion:	5 ,4 ,6
InternalName:	LuaRT
LegalCopyright:	Copyright (C) Samir Tine 2024
ProductName:	LuaRT
ProductVersion:	5 ,4 ,6


(PID) Process:	(4732) SearchApp.exe	Key:	\REGISTRY\A\{466c8b5b-39d6-e601-204c-f50e054366b7}\2814751015243726\281535107058273\CortanaUI\44a65413067acd61cb60e74ea5537a73
Operation:	write	Name:	SnapshotCaptured
Value: 0
(PID) Process:	(2588) WerFault.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
Operation:	delete value	Name:	DeviceTicket
Value:
(PID) Process:	(2588) WerFault.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
Operation:	delete value	Name:	0018BFFFB20EAB97
Value:
(PID) Process:	(6524) SearchApp.exe	Key:	\REGISTRY\A\{aeab3849-d949-deae-4086-699d2e170df0}\LocalState
Operation:	write	Name:	ShouldShowCombinedConsent
Value: 01CEDAAF8168FCDA01
(PID) Process:	(6524) SearchApp.exe	Key:	\REGISTRY\A\{aeab3849-d949-deae-4086-699d2e170df0}\LocalState
Operation:	write	Name:	ShouldUnregisterAllBackgroundTasks
Value: 01CEDAAF8168FCDA01
(PID) Process:	(6524) SearchApp.exe	Key:	\REGISTRY\A\{aeab3849-d949-deae-4086-699d2e170df0}\LocalState
Operation:	write	Name:	CortanaCapabilities
Value: 00000000CEDAAF8168FCDA01
(PID) Process:	(6524) SearchApp.exe	Key:	\REGISTRY\A\{aeab3849-d949-deae-4086-699d2e170df0}\LocalState
Operation:	write	Name:	RPSServerBing
Value: 63006F007200740061006E0061002E00620069006E0067002E0063006F006D000000CEDAAF8168FCDA01
(PID) Process:	(6524) SearchApp.exe	Key:	\REGISTRY\A\{aeab3849-d949-deae-4086-699d2e170df0}\LocalState
Operation:	write	Name:	RPSServerLive
Value: 730073006C002E006C006900760065002E0063006F006D000000CEDAAF8168FCDA01
(PID) Process:	(6524) SearchApp.exe	Key:	\REGISTRY\A\{aeab3849-d949-deae-4086-699d2e170df0}\LocalState\OnlineServices
Operation:	write	Name:	UseTestServer
Value: 00000000CEDAAF8168FCDA01
(PID) Process:	(6524) SearchApp.exe	Key:	\REGISTRY\A\{aeab3849-d949-deae-4086-699d2e170df0}\LocalState\OnlineServices\Providers\RulesRequest
Operation:	write	Name:	Id
Value: 1E000000CEDAAF8168FCDA01

PID	Process	Filename		Type
2588	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Microsoft.Window_e017d26da44618d4691adad6f68d2ddc5a28f1_ce03743e_ba8c4370-88c7-42fc-8f9e-3e947271cda8\Report.wer		—
		MD5:—	SHA256:—
6524	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\1\C__WINDOWS_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_2[1].txt		html
		MD5:90DA839863E06376BD346A727C3932B7	SHA256:A81380FD22FE48E47D5EB3CCB5F8049F5575406F9AE077797A20FF8DCF83099F
2588	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9D2.tmp.xml		xml
		MD5:A9C9DC9D18A9DA3832C6905F208ED4C8	SHA256:E0B4018EB0BA9F0C28473EB5822898537F58CB49242BD595B68B4909E576ED6D
2588	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\SearchApp.exe.4732.dmp		binary
		MD5:4C4BBDC849E6913073201EA8691E7481	SHA256:849CB2E293AA0B2E77AA84A353DDFF90F31E64D6D69DB6876B65DE46CA5D1C4A
2588	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7EC.tmp.dmp		dmp
		MD5:96DB981B91354FE124D3BC0781D6DCD1	SHA256:98717E91E94052EAC9E3620368DC9CCD154FC5A329022FD6255E4C3B16061C46
2588	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9A2.tmp.WERInternalMetadata.xml		xml
		MD5:197FCFD243E5FD21DF6E96F05351E7EF	SHA256:89F7355594D525702F48BC98278A4EBE676F254ED0E17E6CF6F6D8A99952C00B
6524	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\1\C__WINDOWS_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_11[1].txt		text
		MD5:0D001644C52F485D90450CFB61144CBB	SHA256:913535986852594D7AD04A34E64BD032467D8D45B8D3083F98B186C047AFB404
6524	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\1\C__WINDOWS_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_9[1].txt		text
		MD5:EEFA3E761F79209DFB77957EED105678	SHA256:FEEE778E404E849AF4A656C88EBEFC1769564DFF8DC544ED78BC0AF744256DD4
6524	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\1\C__WINDOWS_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_10[1].txt		txt
		MD5:964D45A4F14F747E8E5508ADC80A4BC3	SHA256:693C76BB0CED980901091F6EB7C86F9BC2AA92F5A8CAF58B04788E14EF5061DE
6524	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\1\C__WINDOWS_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_14[1].txt		txt
		MD5:BC85B3BBF96DE45DF258559E2043162D	SHA256:ED7568475870545DF768C6DE8308F64219479304DE7DB9171EC80DDBB12093AC

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	—	184.86.251.9:443	https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init	unknown	—	—	—
—	—	GET	200	184.86.251.22:443	https://r.bing.com/rb/19/cir3,ortl,cc,nc/CYGXBN1kkA_ojDY5vKbCoG4Zy0E.css?bu=C6QJlgOrBIAK5QjPCN4GXV1dXQ&or=w	unknown	text	19.9 Kb	—
—	—	POST	204	184.86.251.9:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	—
—	—	GET	200	184.86.251.27:443	https://r.bing.com/rb/19/cir3,ortl,cc,nc/oT6Um3bDKq3bSDJ4e0e-YJ5MXCI.css?bu=B74CSK0CiwFdXcoC&or=w	unknown	text	5.88 Kb	—
—	—	GET	200	184.86.251.7:443	https://r.bing.com/rb/3D/ortl,cc,nc/4-xJy3tX6bM2BGl5zKioiEcQ1TU.css?bu=A4gCjAKPAg&or=w	unknown	text	15.5 Kb	—
—	—	GET	200	184.86.251.27:443	https://www.bing.com/manifest/threshold.appcache	unknown	text	3.36 Kb	—
—	—	GET	200	184.86.251.7:443	https://www.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DyIrb3t-gQF4cnWyAbUBK6UBK7gB&or=w	unknown	s	21.3 Kb	—
—	—	POST	204	184.86.251.9:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	—
—	—	GET	200	184.86.251.27:443	https://www.bing.com/manifest/threshold.appcache	unknown	text	3.36 Kb	—
—	—	GET	200	184.86.251.7:443	https://r.bing.com/rb/16/jnc,nj/4bnLx4S3ZRMpYV30k3R5vRy8JVg.js?bu=DygxeIQBiQGMAYEBe37EAccBMbcBMcoB&or=w	unknown	s	21.4 Kb	—

PID	Process	IP	Domain	ASN	CN	Reputation
568	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6248	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
568	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4324	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2588	WerFault.exe	52.168.117.173:443	watson.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
google.com	142.250.184.238	whitelisted
watson.events.data.microsoft.com	52.168.117.173	whitelisted
www.bing.com	184.86.251.27 184.86.251.7 184.86.251.22 184.86.251.9	whitelisted
r.bing.com	2.23.209.135 2.23.209.187 2.23.209.143 2.23.209.130 2.23.209.185 2.23.209.133 2.23.209.189 2.23.209.140 2.23.209.149	whitelisted

General Info

dfd.exe

57C4141D31F6F44A058EDCD91D67420A

72524C020E50CCB46F5629E0A102E04BD72C366A

56FFB100723C3E6466BC002D9A928E37E0F1FBDC766DBFBBD0EB8721E2FA68B1

12288:OktCvYqB7nw2efvpyL8YA0Ol9uj4ZU7S96J:OmCTB7nwt4L839YJS96

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Steals credentials from Web Browsers

SUSPICIOUS

The process deletes folder without confirmation

Starts CMD.EXE for commands execution

Executes application which crashes

Reads the date of Windows installation

INFO

Reads the machine GUID from the registry

Checks supported languages

Creates files or folders in the user directory

Reads the software policy settings

Reads the computer name

Checks proxy server information

Manual execution by a user

Process checks computer location settings

Process checks Internet Explorer phishing filters

The process uses lua

Reads Environment values

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings