Malware Analysis Report

2025-04-13 11:43

Sample ID 221019-3l63lsdca7
Target 83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339
SHA256 83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339
Tags
djvu vidar 517 discovery persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339

Threat Level: Known bad

The file 83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339 was found to be: Known bad.

Malicious Activity Summary

djvu vidar 517 discovery persistence ransomware spyware stealer

Djvu Ransomware

Vidar

Detected Djvu ransomware

Executes dropped EXE

Downloads MZ/PE file

Checks computer location settings

Modifies file permissions

Reads user/profile data of web browsers

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Accesses 2FA software files, possible credential harvesting

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-19 23:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-19 23:37

Reported

2022-10-19 23:39

Platform

win10v2004-20220812-en

Max time kernel

107s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6c7dac92-b846-43a7-95ce-74c0c8b07961\\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4980 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 4980 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 4980 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 4980 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 4980 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 4980 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 4980 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 4980 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 4980 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 4980 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 1584 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Windows\SysWOW64\icacls.exe
PID 1584 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Windows\SysWOW64\icacls.exe
PID 1584 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Windows\SysWOW64\icacls.exe
PID 1584 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 1584 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 1584 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 1920 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 1920 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 1920 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 1920 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 1920 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 1920 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 1920 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 1920 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 1920 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 1920 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe
PID 4128 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe
PID 4128 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe
PID 4128 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe
PID 1704 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe
PID 1704 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe
PID 1704 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe
PID 1704 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe
PID 1704 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe
PID 1704 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe
PID 1704 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe
PID 1704 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe
PID 4128 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build3.exe
PID 4128 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build3.exe
PID 4128 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build3.exe
PID 4852 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 4852 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 4852 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 4876 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 4876 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 4876 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 1184 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe C:\Windows\SysWOW64\cmd.exe
PID 5116 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 5116 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 5116 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe

"C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe"

C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe

"C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\6c7dac92-b846-43a7-95ce-74c0c8b07961" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe

"C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe

"C:\Users\Admin\AppData\Local\Temp\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe

"C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe"

C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe

"C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe"

C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build3.exe

"C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 rgyui.top udp
US 8.8.8.8:53 winnlinne.com udp
BR 138.36.3.134:80 rgyui.top tcp
UZ 195.158.3.162:80 winnlinne.com tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
UZ 195.158.3.162:80 winnlinne.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 78.46.160.87:80 78.46.160.87 tcp
US 8.8.8.8:53 tm.baiaveloz.com udp
DE 207.180.253.128:80 tm.baiaveloz.com tcp

Files

memory/4980-132-0x000000000078B000-0x000000000081D000-memory.dmp

memory/4980-133-0x0000000002320000-0x000000000243B000-memory.dmp

memory/1584-134-0x0000000000000000-mapping.dmp

memory/1584-135-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1584-136-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4980-137-0x000000000078B000-0x000000000081D000-memory.dmp

memory/1584-138-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1584-139-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2420-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\6c7dac92-b846-43a7-95ce-74c0c8b07961\83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339.exe

MD5 0f98265d37abd75eb929d95554fdcde5
SHA1 19c351546115137e9fe052aa0ffc0a498fd5d3c2
SHA256 83085fc25b2349c15f8af67c84b36a707edc7abaaf63ca41046d014505398339
SHA512 5dc6ac1149e93555af84e4e951793de359cff48b81b556e183120f02353b9dbd9527332735882250a42ee19c3ef9302de7a89b98612977267326c57e200d1445

memory/1584-142-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1920-143-0x0000000000000000-mapping.dmp

memory/1584-144-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4128-145-0x0000000000000000-mapping.dmp

memory/1920-148-0x0000000000623000-0x00000000006B5000-memory.dmp

memory/4128-147-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4128-149-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 97ab7ffd65186e85f453dc7c02637528
SHA1 f22312a6a44613be85c0370878456a965f869a40
SHA256 630df8e970cc3b1ad508db713dd8be52e0ac7a5826f3f264a266232f9a1c23ee
SHA512 37d90c98e72ad55b2cbb938541c81bac1aa9d2b8a7e19f0fbfaa365b49e7bef2d3199f03e46aa9fbf3055f3701d21860820c451065f7e425d39bf86ca606bfb0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 270068767bbfc494c74f295e0c1fe015
SHA1 b1aea3bbc5b51e4d9e6006dbf2b0848eb208003e
SHA256 c88ed9da39b4a5d116b65426224cd94e5310e271cc961505e7ec3b4a4cf4a347
SHA512 3a47842b423327c3ea4fd06fc6ea2785764a2b61af4167d646994e7a02d08fb08a55485144664c5c9a09f2dc014ff1e073598cc32de0ea0e7bcdf86e6726c599

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 006c98bc42ac1d15f0ec70e3488783c5
SHA1 a8c8302826468c903b511e206d6d058e2c3acdaa
SHA256 e24883740fbed2781e4df4e5387cd95c3345ec9944edeeb36babd2c10135fa00
SHA512 e0caea17f99a18483e0195c5311942c195ef42532f1868bfb5c64b3f6cb72cc0fc58414176a9bfc66452e11d17c2058eafb483a41890f502ec76dc3a6807f2f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 c3e253b3179becd3e062ca431786dc04
SHA1 ea68fa68fb6f792dd8b0df03815374884c1ef2a3
SHA256 564e2be8e225926d82e9d946ce26588f74223aec9c5909b0b919af3d1a060c74
SHA512 3486cb5442255687058792af082d5f31572e862cbdcf0bbe25ab145bacad13727fa96b471ea2a930c715b3c05a9241a3a50a3123377e341d57e973a7431800c3

memory/4128-154-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1704-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe

MD5 e4e90e1dda4b51d199d449fa936db902
SHA1 70de6b213f872ba782ba11cad5a5d1294ca9e741
SHA256 8ecc0426ea37a5c9e59d00b4fde1508175a950372ec3870965f1e527634b3419
SHA512 3958e1c40d69d5439b5e85bdb5765bb38ec5bba24f38a8aafb9a53c167ebaffb5c202441613af3f2d968c9c902de35036f67d87f7777efeb4c66869a7fc3c4ed

C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe

MD5 e4e90e1dda4b51d199d449fa936db902
SHA1 70de6b213f872ba782ba11cad5a5d1294ca9e741
SHA256 8ecc0426ea37a5c9e59d00b4fde1508175a950372ec3870965f1e527634b3419
SHA512 3958e1c40d69d5439b5e85bdb5765bb38ec5bba24f38a8aafb9a53c167ebaffb5c202441613af3f2d968c9c902de35036f67d87f7777efeb4c66869a7fc3c4ed

memory/1184-158-0x0000000000000000-mapping.dmp

memory/1184-159-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build2.exe

MD5 e4e90e1dda4b51d199d449fa936db902
SHA1 70de6b213f872ba782ba11cad5a5d1294ca9e741
SHA256 8ecc0426ea37a5c9e59d00b4fde1508175a950372ec3870965f1e527634b3419
SHA512 3958e1c40d69d5439b5e85bdb5765bb38ec5bba24f38a8aafb9a53c167ebaffb5c202441613af3f2d968c9c902de35036f67d87f7777efeb4c66869a7fc3c4ed

memory/1184-163-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4852-164-0x0000000000000000-mapping.dmp

memory/1704-165-0x0000000000860000-0x00000000008A4000-memory.dmp

C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\cee88c56-c947-472e-a94c-f0fc0ac960ad\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/1184-161-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1704-162-0x00000000008C2000-0x00000000008EA000-memory.dmp

memory/1268-168-0x0000000000000000-mapping.dmp

memory/1184-169-0x0000000000400000-0x0000000000458000-memory.dmp

C:\ProgramData\sqlite3.dll

MD5 1f44d4d3087c2b202cf9c90ee9d04b0f
SHA1 106a3ebc9e39ab6ddb3ff987efb6527c956f192d
SHA256 4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260
SHA512 b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4128-173-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/4888-176-0x0000000000000000-mapping.dmp

memory/1184-177-0x0000000000400000-0x0000000000458000-memory.dmp

memory/5116-178-0x0000000000000000-mapping.dmp

memory/1184-179-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2500-180-0x0000000000000000-mapping.dmp