Malware Analysis Report

2025-08-05 17:08

Sample ID 230331-p8pj7ahe97
Target 8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec
SHA256 8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec
Tags
djvu vidar 5df88deb5dde677ba658b77ad5f60248 discovery persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec

Threat Level: Known bad

The file 8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec was found to be: Known bad.

Malicious Activity Summary

djvu vidar 5df88deb5dde677ba658b77ad5f60248 discovery persistence ransomware spyware stealer

Detected Djvu ransomware

Djvu Ransomware

Vidar

Downloads MZ/PE file

Modifies file permissions

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Accesses 2FA software files, possible credential harvesting

Adds Run key to start application

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Checks processor information in registry

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-31 13:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-31 13:00

Reported

2023-03-31 13:02

Platform

win10v2004-20230220-en

Max time kernel

147s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8a0710de-231f-4d11-8200-895926a181e7\\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 1348 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 1348 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 1348 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 1348 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 1348 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 1348 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 1348 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 1348 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 1348 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 1232 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Windows\SysWOW64\icacls.exe
PID 1232 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Windows\SysWOW64\icacls.exe
PID 1232 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Windows\SysWOW64\icacls.exe
PID 1232 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 1232 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 1232 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 4900 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 4900 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 4900 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 4900 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 4900 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 4900 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 4900 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 4900 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 4900 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 4900 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe
PID 4336 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe
PID 4336 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe
PID 4336 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe
PID 4344 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe
PID 4344 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe
PID 4344 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe
PID 4344 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe
PID 4344 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe
PID 4344 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe
PID 4344 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe
PID 4344 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe
PID 4344 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe
PID 4336 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build3.exe
PID 4336 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build3.exe
PID 4336 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build3.exe
PID 1552 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 1552 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 1552 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2468 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4880 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4880 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 5088 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 5088 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 5088 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe

"C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe"

C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe

"C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\8a0710de-231f-4d11-8200-895926a181e7" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe

"C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe

"C:\Users\Admin\AppData\Local\Temp\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe

"C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe"

C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe

"C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe"

C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build3.exe

"C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 188.155.64.172.in-addr.arpa udp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 uaery.top udp
KR 222.236.49.124:80 uaery.top tcp
US 8.8.8.8:53 zexeq.com udp
KR 175.126.109.15:80 zexeq.com tcp
US 8.8.8.8:53 124.49.236.222.in-addr.arpa udp
US 8.8.8.8:53 15.109.126.175.in-addr.arpa udp
KR 175.126.109.15:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 78.47.168.170:80 78.47.168.170 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 170.168.47.78.in-addr.arpa udp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 52.182.141.63:443 tcp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 117.18.232.240:80 tcp
US 117.18.232.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

memory/1232-134-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1232-135-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1348-136-0x0000000002370000-0x000000000248B000-memory.dmp

memory/1232-137-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1232-138-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\8a0710de-231f-4d11-8200-895926a181e7\8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec.exe

MD5 c31fb9ce577cf5157f179495a2bf6ce8
SHA1 2adf67c3eb284bec857c964f29c8a774a3db8a6c
SHA256 8dec71df55f7027b3df7545f713663b63abec8ec23112aae1ae58fec78e8d5ec
SHA512 31ab5e9fe87ff7bf9676f13e120e3ad7ed9262404244d43b321fe361e55fc511572b39a6a34cb063c9350f5486326b2bd34e1ef0532fd70943d1b8d7f27971e3

memory/1232-147-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4336-151-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4336-152-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 6a3b8331e801f083b403b0857ed8d574
SHA1 48d275731f1dbd0630d1ca55a1b05f149a011d1f
SHA256 98651a2da4a4613bc2a03c4128926fe6b05f1af8a7a21e1fedec75db013706a0
SHA512 7527b8857707c8822e4b7f5049ddc9b4c49933e68535690746d84b7f0187a10f36e874719bdb1bf3ba8b035568a7cbafd687b80c4621dc35552d73f7e497071d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 b61bcb8fc72333400b5c4a9e6ba2c741
SHA1 4443b706bfe08c44aa0f5836494a8879e66d5b23
SHA256 26c5059dc5b8144e705294012de1de953c69180ce9c919d7ffdf1642219f022a
SHA512 5d970e1106a82c5e3d90708c66bce8ac5a0c057fd98d5ca544c668379ea19e31969367077e051c1b4f378ccd797ee08dba46b338bee83cfafcd2c50860c7798c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 ee7ad9d8f28e0558a94e667206e8a271
SHA1 b49a079526da92d55f2d1bc66659836c0f90a086
SHA256 9eeeef2cbd8192c6586ffa64114ad0c3e8e5ab3a73817e1044895517c6eba712
SHA512 0c1596e7b8e54e0cce8139a339c4c34f5f9391ce0b7051673abe7a43f174f292e0d3267b1ce1186247535941b416962b6fe63cb03855ddea254cf09fddad3223

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 5878dd8d731685cb7ca1a6210334bcbb
SHA1 5a181ca375472e4fd804f356e0cb45923a031122
SHA256 aaae76da3932f188eaf296112b4840c5fdf4376aa7f054eaad04670a6ef6458d
SHA512 62a95c8ac1ca66c08437f1210ba28f1f0ef837041e0200b3c56375fc46de03a14926a506773ddcc2a85be9fbe58a82988c3b0a490e7d00ee30db3217492e0bb8

memory/4336-157-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4336-158-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4336-159-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4336-163-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4336-165-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4336-166-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4336-167-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe

MD5 aa18968e6cfbdc382ada6a3ed2852085
SHA1 4a41fa1a182916d5790aa2071106b3441d64468d
SHA256 c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb
SHA512 8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe

MD5 aa18968e6cfbdc382ada6a3ed2852085
SHA1 4a41fa1a182916d5790aa2071106b3441d64468d
SHA256 c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb
SHA512 8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe

MD5 aa18968e6cfbdc382ada6a3ed2852085
SHA1 4a41fa1a182916d5790aa2071106b3441d64468d
SHA256 c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb
SHA512 8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

memory/2468-179-0x0000000000400000-0x000000000046C000-memory.dmp

memory/2468-181-0x0000000000400000-0x000000000046C000-memory.dmp

C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build2.exe

MD5 aa18968e6cfbdc382ada6a3ed2852085
SHA1 4a41fa1a182916d5790aa2071106b3441d64468d
SHA256 c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb
SHA512 8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

memory/2468-183-0x0000000000400000-0x000000000046C000-memory.dmp

memory/4344-182-0x00000000046D0000-0x0000000004727000-memory.dmp

memory/2468-184-0x0000000000400000-0x000000000046C000-memory.dmp

C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/4336-193-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\23dfa7eb-45bd-45e5-9578-1b8f332ead15\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/4336-197-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2468-207-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2468-275-0x0000000000400000-0x000000000046C000-memory.dmp

memory/2468-277-0x0000000000400000-0x000000000046C000-memory.dmp

memory/2468-278-0x0000000000400000-0x000000000046C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a