Malware Analysis Report

2025-08-05 17:09

Sample ID 230331-sfkx3scb8z
Target d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386
SHA256 d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386
Tags
djvu vidar 5df88deb5dde677ba658b77ad5f60248 discovery persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386

Threat Level: Known bad

The file d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386 was found to be: Known bad.

Malicious Activity Summary

djvu vidar 5df88deb5dde677ba658b77ad5f60248 discovery persistence ransomware spyware stealer

Detected Djvu ransomware

Djvu Ransomware

Vidar

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Modifies file permissions

Checks computer location settings

Looks up external IP address via web service

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses 2FA software files, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks processor information in registry

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-31 15:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-31 15:04

Reported

2023-03-31 15:06

Platform

win10v2004-20230220-en

Max time kernel

144s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\32664ba3-81d2-404c-be85-d85564a5ee1c\\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 636 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 636 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 636 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 636 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 636 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 636 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 636 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 636 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 636 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 636 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 804 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Windows\SysWOW64\icacls.exe
PID 804 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Windows\SysWOW64\icacls.exe
PID 804 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Windows\SysWOW64\icacls.exe
PID 804 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 804 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 804 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 4780 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 4780 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 4780 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 4780 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 4780 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 4780 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 4780 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 4780 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 4780 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 4780 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
PID 4528 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe
PID 4528 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe
PID 4528 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe
PID 4528 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build3.exe
PID 4528 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build3.exe
PID 4528 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build3.exe
PID 3796 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 3796 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 3796 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2060 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe
PID 2060 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe
PID 2060 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe
PID 2060 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe
PID 2060 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe
PID 2060 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe
PID 2060 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe
PID 2060 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe
PID 2060 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe
PID 4164 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 4164 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 4164 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe

"C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe"

C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe

"C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\32664ba3-81d2-404c-be85-d85564a5ee1c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe

"C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe

"C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe

"C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe"

C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build3.exe

"C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe

"C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4660 -ip 4660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 1708

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
NL 40.126.32.74:443 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 68.32.18.104.in-addr.arpa udp
US 8.8.8.8:53 188.155.64.172.in-addr.arpa udp
US 52.109.13.62:443 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 uaery.top udp
KR 211.53.230.67:80 uaery.top tcp
US 8.8.8.8:53 zexeq.com udp
IR 80.210.25.252:80 zexeq.com tcp
US 8.8.8.8:53 67.230.53.211.in-addr.arpa udp
US 8.8.8.8:53 252.25.210.80.in-addr.arpa udp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
IR 80.210.25.252:80 zexeq.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 24.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
DE 78.47.168.170:80 78.47.168.170 tcp
US 20.189.173.14:443 tcp
US 8.8.8.8:53 170.168.47.78.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.247.211.254:80 tcp
US 8.247.211.254:80 tcp
NL 173.223.113.164:443 tcp

Files

memory/804-134-0x0000000000400000-0x0000000000537000-memory.dmp

memory/804-135-0x0000000000400000-0x0000000000537000-memory.dmp

memory/804-137-0x0000000000400000-0x0000000000537000-memory.dmp

memory/636-136-0x00000000023E0000-0x00000000024FB000-memory.dmp

memory/804-138-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\32664ba3-81d2-404c-be85-d85564a5ee1c\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe

MD5 cff4eb11ee8faa70599aca31159a37a4
SHA1 dbcaa707a0cbd494c266b98582acb64b8d81605e
SHA256 d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386
SHA512 028aa4bbb9e0b5b0203bfe4334523801fa5a000f84025f8d3bf1ece8659d862a693169ff15581b1070503709d317cbab2b55234ed5c6e79710d7594c19961d55

memory/804-147-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4528-151-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4528-152-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c6fcc0d51b425936142ae902858bb946
SHA1 86641c02a1384ea7c8fadcab4a3be1995ecdf15e
SHA256 42e25b13b15c6d0d81160b313285d212ae762e16c78c4176e8860ae527e63f61
SHA512 030d9eb13f487516bd08adb7015f54b21491453cf8b8f0e31d7be1ebfef8a455d2d7d3470775b90bc184b308c11f2d9264f0cfc66d52d6c33e8c43b9cf803815

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 6a3b8331e801f083b403b0857ed8d574
SHA1 48d275731f1dbd0630d1ca55a1b05f149a011d1f
SHA256 98651a2da4a4613bc2a03c4128926fe6b05f1af8a7a21e1fedec75db013706a0
SHA512 7527b8857707c8822e4b7f5049ddc9b4c49933e68535690746d84b7f0187a10f36e874719bdb1bf3ba8b035568a7cbafd687b80c4621dc35552d73f7e497071d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 ee7ad9d8f28e0558a94e667206e8a271
SHA1 b49a079526da92d55f2d1bc66659836c0f90a086
SHA256 9eeeef2cbd8192c6586ffa64114ad0c3e8e5ab3a73817e1044895517c6eba712
SHA512 0c1596e7b8e54e0cce8139a339c4c34f5f9391ce0b7051673abe7a43f174f292e0d3267b1ce1186247535941b416962b6fe63cb03855ddea254cf09fddad3223

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 cae9445fa1056bef50f1f24cc2dcd528
SHA1 58020dd47e47d8bf6583d37260dcd37cf7d75876
SHA256 c77571f1d8d06b4f9f341f7a7146246ae5483d91e1ee85158ce7db5fc3a511ee
SHA512 29d32ca83cdf3b2dc3db42ec4f2850204250a412b5faa1cfa33f7f998ae4b6a138e6bd2929c602cb08626a573301e160c3b1e0fb17f5fc7621e21730f1dfa489

memory/4528-157-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4528-159-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4528-163-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4528-166-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4528-165-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe

MD5 aa18968e6cfbdc382ada6a3ed2852085
SHA1 4a41fa1a182916d5790aa2071106b3441d64468d
SHA256 c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb
SHA512 8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe

MD5 aa18968e6cfbdc382ada6a3ed2852085
SHA1 4a41fa1a182916d5790aa2071106b3441d64468d
SHA256 c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb
SHA512 8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe

MD5 aa18968e6cfbdc382ada6a3ed2852085
SHA1 4a41fa1a182916d5790aa2071106b3441d64468d
SHA256 c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb
SHA512 8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

memory/4528-185-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe

MD5 aa18968e6cfbdc382ada6a3ed2852085
SHA1 4a41fa1a182916d5790aa2071106b3441d64468d
SHA256 c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb
SHA512 8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845

memory/4660-190-0x0000000000400000-0x000000000046C000-memory.dmp

memory/2060-193-0x0000000002D00000-0x0000000002D57000-memory.dmp

memory/4660-194-0x0000000000400000-0x000000000046C000-memory.dmp

memory/4660-192-0x0000000000400000-0x000000000046C000-memory.dmp

memory/4660-195-0x0000000000400000-0x000000000046C000-memory.dmp

memory/4660-206-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4528-274-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4660-275-0x0000000000400000-0x000000000046C000-memory.dmp

memory/4660-276-0x0000000000400000-0x000000000046C000-memory.dmp

memory/4660-279-0x0000000000400000-0x000000000046C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a