Malware Analysis Report

2025-08-10 18:24

Sample ID 240115-fg8z3shfer
Target 58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b
SHA256 58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b
Tags
djvu vidar discovery persistence ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b

Threat Level: Known bad

The file 58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b was found to be: Known bad.

Malicious Activity Summary

djvu vidar discovery persistence ransomware stealer

Detected Djvu ransomware

Detect Vidar Stealer

Vidar

Djvu Ransomware

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:51

Reported

2024-01-15 04:56

Platform

win7-20231215-en

Max time kernel

298s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a2d35282-fae8-4629-8a65-b4f4bf65e769\\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2240 set thread context of 2916 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2880 set thread context of 2152 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 740 set thread context of 2044 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
PID 2452 set thread context of 2016 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
PID 2100 set thread context of 2640 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1440 set thread context of 2248 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 436 set thread context of 2328 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1468 set thread context of 1388 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2240 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2240 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2240 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2240 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2240 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2240 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2240 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2240 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2240 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2240 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2916 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Windows\SysWOW64\icacls.exe
PID 2916 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Windows\SysWOW64\icacls.exe
PID 2916 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Windows\SysWOW64\icacls.exe
PID 2916 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Windows\SysWOW64\icacls.exe
PID 2916 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2916 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2916 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2916 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2880 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2880 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2880 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2880 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2880 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2880 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2880 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2880 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2880 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2880 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2880 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2152 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
PID 2152 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
PID 2152 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
PID 2152 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
PID 740 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
PID 740 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
PID 740 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
PID 740 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
PID 740 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
PID 740 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
PID 740 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
PID 740 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
PID 740 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
PID 740 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
PID 740 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
PID 2152 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
PID 2152 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
PID 2152 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
PID 2152 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
PID 2044 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2044 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2044 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2044 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2452 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
PID 2452 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
PID 2452 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
PID 2452 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
PID 2452 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
PID 2452 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
PID 2452 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
PID 2452 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
PID 2452 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
PID 2452 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
PID 2016 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe

"C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe"

C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe

"C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\a2d35282-fae8-4629-8a65-b4f4bf65e769" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe

"C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe

"C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

"C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe"

C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

"C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe"

C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe

"C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 1464

C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe

"C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {E83BAB74-7AE2-4AD1-AE09-0419A9B8AEC3} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
KR 123.140.161.243:80 habrafa.com tcp
KR 211.168.53.110:80 brusuax.com tcp
KR 123.140.161.243:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp

Files

memory/2240-0-0x0000000000240000-0x00000000002D2000-memory.dmp

memory/2240-1-0x0000000000240000-0x00000000002D2000-memory.dmp

memory/2240-2-0x00000000004D0000-0x00000000005EB000-memory.dmp

memory/2916-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2916-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2916-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2916-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\a2d35282-fae8-4629-8a65-b4f4bf65e769\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe

MD5 801d88770313a1b52d78aac315b5e44e
SHA1 295694fa03a099bb977049b5d0348ae59ffeb6f5
SHA256 b0922cb660f9d08eee36ea7c11c6109301597c97f420e5e4a5211ff420bac8b2
SHA512 04326ffee6c928e1fbb527a6fd6e66eeebcd9ecce1d53dde694cffd2847df1514e2cdc5dffc0785ae9da705298fa76ab7e6fdd5e6d666e5c0f3bc3ccb8fb350b

memory/2916-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2880-27-0x0000000001CE0000-0x0000000001D72000-memory.dmp

memory/2880-34-0x0000000001CE0000-0x0000000001D72000-memory.dmp

memory/2152-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2152-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2880-29-0x0000000001CE0000-0x0000000001D72000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7a617aacb167ff477b6174ea445129ac
SHA1 a8621d37008de52315fc425204e12e430400b027
SHA256 4833a7c1b75f46d2270dd956c6cd8275039d00cd176dc4d5741670928fdd6a10
SHA512 040631344987a1195f331c222b04455533a235253da8a854a3bf20d3c9e9fd93effd22f677f25222f52e667e70d5b4e3c8fa7fc2fa1bed54588bdf5178c9e07c

C:\Users\Admin\AppData\Local\Temp\Cab6CC7.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b9834a90af53b48e47bc03ce501cef1
SHA1 819f847cf6d4f7393d81f8399b798999cf082947
SHA256 e3b22fe7b710d185c43e5ef21a4e2ff01101ded1eb7fedc277f90972855289a1
SHA512 b9fcb4b3311f810e6912853b8936ec175f33fbf8e652d18e0a2d23760f4f11bfceac7a9b22c3f6e625773ec9c88ba81c17e49651370e740c2db91b28c3e2c410

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 9f8cb28a41f4e6ce22e66da1394e3493
SHA1 89be50044db9b8fe36c9c8ffa583fa85e83086c8
SHA256 9e25075febf7fde0e6c7615b06b1e0ca3d5e4629930809eb2d46cd34924f4ead
SHA512 dd7f6289c9821545a979b3516743bed2ba71b4e43ca3b6eee9e7fc0ceaf1c40f8ec817a067ba8050e56195438ccb602b262b64e0f58bd52121715892f234f0f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

memory/2152-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2152-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2152-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2152-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2152-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2152-58-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

MD5 ad38fdd0db4c7c0191ae83ce7a61e4ee
SHA1 6843d68e8290aec4cefc0ba37a8d61a10b1c7e7c
SHA256 66fa9727b477df887578c3570f26ee57571d0ed82dbdbdcde028fbe1541b5fea
SHA512 905d95ccebac7d64adfdcdc7a7efc98744713c7ce09edce5ab3ea9f6b885c9e019052887f7bf0d905fe6d231191d83027993d11edff7c9dbdd25f12f6a11bcb2

C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

MD5 e89bde19fb9b37c089ca3abd84b032d2
SHA1 bb7544fca99ecc0ad52ada96174aeab60fc73ff3
SHA256 aef4380723a2bffa187fad845a3b07c1977e3fcad4e4864a63c691da7a3a366c
SHA512 a4a63857e2084559f6a9a1b405057e0105ac6dc2ede932df7ebe3c1967b2df099131b0a37aada12945220eb94cfac691d67d0fe82898d1a9a42096cf60a9772e

C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

MD5 c2e8559bea84c210250b05175275dd91
SHA1 21ba87ac0920c39986d1dd6d0f12d707f0f22b0d
SHA256 7874e9bfac041e51b91565bc75494e41746da7b216daa8de4f14e3038ea1de69
SHA512 1d76b016b8eabdc2b54cde0707af1f3a1a691a742db8a34bf338dfbb1269f3a1a6d16ca64c7208565afa652a566c4ba6a66ca0db8fe6d953d644845705318fc3

\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

MD5 efdf40d4b946d5fe1253d2e40f9c5115
SHA1 bfa7e266d5260cabb1631b046dad2cf747ed64f3
SHA256 0c0589df21420e803078064ff51f209744b2123146cb8072af9120e44a798171
SHA512 23c92e5afb065878a8cde7b4ac1d9d53ba590cc039b4b6f944cce2f06efb92ae39cc9735e8fb352aa2087f369a268dddcabeb017e0d18f4b5d24b4b6f56e1b09

memory/740-73-0x00000000005B0000-0x00000000006B0000-memory.dmp

memory/2044-79-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

MD5 f94c2f0a318fbe7d6abbdb7f94bc996f
SHA1 ef0bc409ee4812c2b7a1dd85c8cabc802e80a1c2
SHA256 cdeaa3ffd1338cb4b02c66ebfeb6dc6f1070beb6e8fbf501477129d7eff34670
SHA512 5ac94bcea0847ef32691e21c64f67aa90f8f09c136695297166681047cc1b3abe0127f1b0a8397163ee5e40fcc38d246bc1cce7e63b3bd0d8318228af70b380d

memory/2044-80-0x0000000000400000-0x000000000065E000-memory.dmp

memory/740-75-0x0000000000230000-0x000000000027B000-memory.dmp

memory/2044-76-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2044-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

MD5 f95ea965e227ac34fcdb0a2861639025
SHA1 e2249206c9436cb19c6192d418b0aa6c7c3c6d6e
SHA256 906fd64c362f6750499ae166302d4d8e1268176ceed0f14dfadb8e1d272c0e92
SHA512 0a405ac3e0439e8ca87f90abecac99cc094b5bee6e331f115a2058a214450d73703dc98d8eb5e2870483472f620732f16be6144e2945481a335861264e07a538

C:\Users\Admin\AppData\Local\Temp\Tar8538.tmp

MD5 1c72ad556b8e38e1c6329e18e5a639c4
SHA1 29af4d07dd3346f6bfecbd614825d29d7c60674f
SHA256 48fb75c2c46735c2410b2322f0e590b5e8878e82fca923b61b02d5a7288ebc63
SHA512 2c23e244492da837e9777d5b0bf12173e3458a5f9317b0c2c1305116669111d2451ca475328d69fe88278da071ed4413ff762587a18567b170e392c2b34e57f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8fa59842506baabfd6dfb2364632958
SHA1 aa5ad8196c99651c4d96b341d7dd0ed8f1a9b367
SHA256 3b6584ff933e9583ea9c988a65354060522f90c5507edb767b49ed34fb188eaa
SHA512 1403b765c0567672ba93d5098df503c304b836be9c80c816d3109e68c6e584df41e86cc9ceaf0836138654283f6c63d50f126bd5398781c557f26e1b467caac2

C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe

MD5 a82bf8636c06e7081df3c88f120640be
SHA1 4277d5f45ced663c86583f9c8e6ff339fae8cf79
SHA256 315c021ef2b5fd836b1242309346102c35da6209a54b25207af192283e74267b
SHA512 8160aa3a0978473c816185d021f6ae993b62f16613cc3c0af71fa619b818de18e8a839b6994821bcc141655585eeeebcf7acd8852c10a0bdfa495164a5f79ab2

C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe

MD5 38331a82abe588b06cd02561e498c89c
SHA1 15ecc31f1cac2903830080b760e32740cfae3bb8
SHA256 c4e53a406513d0af7c491270e3eccd6f0c3c1973c7750a37fcec8c7c5d38e144
SHA512 c73b68bfe28b9f553b616dbaa90bf95021859702dc1b83e08bed12a0378b1f74b3e9b5e164ebfd74a3664c5c09c596cfb6f6a40a08b48f16229f1639f5c0adcc

\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe

MD5 e1851d2ef4776535dda5f7813c664724
SHA1 4337e412b5a9612e4fca5f696185fca563a4ffe2
SHA256 a8e228e248ed175221b672da4f12a21559ed79777b9fcc38c9ba12603f9cc2e4
SHA512 f50bbde99af3c938756e880b15457f313c3188225637a8e4c03b7ddaf4771cf28cd07772ce58986f46c25a81fec095c639a28895235e9a7a92182e6e127b64de

memory/2152-152-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe

MD5 8b6a819c6926597dfa7529b692d7a6cc
SHA1 50c535e9cca464afd3a589d2231d87ce417d4312
SHA256 b9cb5501cc2d257e049e1757062523c7f9ee5a85d57d46538fe492125befd26c
SHA512 dfd28b270d99ad89f8ce1df9750b92ff558f73fe2448bf182b5c1c05c7b180bb29175eeaf5a7c918791d64b36167fc1a6044f1aaff838e02e878782f5f6c0ba9

\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

MD5 a99dce227407cd4a8ae67fbe37b6079d
SHA1 81abb6534ac149b97cafa41e580a707de285b790
SHA256 c6c569d62c9a1ac8d5adc29a449101b71cacaf680766bc97f997a93b2ad3a273
SHA512 ab309db5b34806dbd733c26c0f4ab42d0b564212c4205d34d7b0a71e81af489927e1bbbfe65bb5e767f7ab3b59a94e9cf32485df32e00f5b98bdedd5e4f1dcd5

\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

MD5 2b1044986fed50e3db11f62830caa61e
SHA1 007be66f57f620becaa579d7b62ad133f9611b9e
SHA256 ecf7cb6948472812e614d5b0d502ca87e363521db2a11bf1a55450b9ab5acda5
SHA512 2b06b7e92d2e1ff66de2939a1a1fcb60c38f8bf5847674a28d96aecf214f74c6025e2db91819f43416ae96ffd0847def53afc79d8510748866542fc27dfbba17

\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

MD5 667e150e0eaef936810f438619a01955
SHA1 3bc7f72365daceecc63162ba53f9b90eb65a7be8
SHA256 3c6ab98262ad6701a7e0f1abba0c1ab0d85e2613bda4ece76533267daa30f97f
SHA512 11cb93f49a3fc1a21488eca1676419511cc1b915db878e0c1978eb1bbeee8aa39d7d14cf2de60bb690dc95aeddd9186f948974178806b0ac6beb200ef368494b

\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe

MD5 1bc8b52ac0ae323631fe28dda57f1c0c
SHA1 333c0d702ed1216ff087e5348646c7d2c5f6b50a
SHA256 ca2a209552033bfdc228bea070a611d8452616fd2cc23ee0b53363f80ff8ea1c
SHA512 5d1d61e7fd700b75f8ea89a5322f9bdae14486e365bfadb56fb8d20c2a4084cb2b94aa23f50efd692fbc5979cb0e6a0af8c3dfe326baf43d394b13a15e656f56

memory/2452-220-0x0000000000312000-0x0000000000323000-memory.dmp

memory/2016-217-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2452-221-0x00000000001B0000-0x00000000001B4000-memory.dmp

C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe

MD5 60a12caace88752fd7810023659be910
SHA1 9ac460eb628d0b5a7e4aac60af374f817265c236
SHA256 45b4414c9bbac9f5725fe3d9dfe48aec2ce4d44a4df8d3bc30a7a8a3555eaaa1
SHA512 802caf09043df8f516be8db08859855344aadc2285f04d3da12483a0ca674710149a636745823e58e236ecdbc1894b9d96980c6fa46c59e0669e2e061a1c4db2

C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe

MD5 8c01266d2ed407f681b1a0b88a81df25
SHA1 d2b29a1e598e83f6fefe12cec439e6384f1f146d
SHA256 74156317e67a872f05786ca5080851ca94d9fbcc55905ed141d9910df5651902
SHA512 1be9f6398b996782f5d3fb017aa65852cb15cce4c5656ede2b76317e2b23ff84d4c71bb0bc055da3a90b94c5b4d6419e4907759ea6a1e17ec7c0413d65f2bd1a

memory/2016-223-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2016-222-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2044-226-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2100-241-0x0000000000250000-0x0000000000350000-memory.dmp

memory/1440-266-0x0000000000C30000-0x0000000000D30000-memory.dmp

memory/436-298-0x0000000000900000-0x0000000000A00000-memory.dmp

memory/1468-326-0x0000000000880000-0x0000000000980000-memory.dmp

memory/1468-338-0x0000000000880000-0x0000000000980000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:51

Reported

2024-01-15 04:57

Platform

win10-20231215-en

Max time kernel

298s

Max time network

298s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-33539905-3698238643-2080195461-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d991ce85-6fa1-4d89-903d-859047eaa94a\\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 220 set thread context of 2288 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2876 set thread context of 1320 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 3860 set thread context of 1884 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe
PID 4012 set thread context of 2196 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe
PID 3040 set thread context of 2276 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2920 set thread context of 3616 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4884 set thread context of 3988 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1636 set thread context of 4944 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 220 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 220 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 220 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 220 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 220 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 220 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 220 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 220 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 220 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 220 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2288 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Windows\SysWOW64\icacls.exe
PID 2288 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Windows\SysWOW64\icacls.exe
PID 2288 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Windows\SysWOW64\icacls.exe
PID 2288 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2288 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2288 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2876 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2876 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2876 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2876 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2876 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2876 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2876 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2876 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2876 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 2876 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
PID 1320 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe
PID 1320 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe
PID 1320 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe
PID 3860 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe
PID 3860 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe
PID 3860 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe
PID 3860 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe
PID 3860 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe
PID 3860 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe
PID 3860 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe
PID 3860 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe
PID 3860 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe
PID 3860 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe
PID 1320 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe
PID 1320 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe
PID 1320 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe
PID 4012 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe
PID 4012 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe
PID 4012 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe
PID 4012 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe
PID 4012 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe
PID 4012 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe
PID 4012 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe
PID 4012 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe
PID 4012 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe
PID 2196 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 3040 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3040 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3040 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3040 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3040 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3040 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3040 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3040 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3040 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2276 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe

"C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe"

C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe

"C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\d991ce85-6fa1-4d89-903d-859047eaa94a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe

"C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe

"C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe

"C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe"

C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe

"C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 2072

C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe

"C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe

"C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
AR 186.13.17.220:80 brusuax.com tcp
KR 211.181.24.132:80 habrafa.com tcp
US 8.8.8.8:53 220.17.13.186.in-addr.arpa udp
US 8.8.8.8:53 132.24.181.211.in-addr.arpa udp
KR 211.181.24.132:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 tcp
US 8.8.8.8:53 196.0.202.116.in-addr.arpa udp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 107.116.69.13.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp

Files

memory/220-1-0x00000000005A0000-0x0000000000634000-memory.dmp

memory/220-3-0x00000000023A0000-0x00000000024BB000-memory.dmp

memory/2288-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2288-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2288-2-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2288-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\d991ce85-6fa1-4d89-903d-859047eaa94a\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe

MD5 e22cc391ec96183337fa39658716d352
SHA1 6d42eeba5cdef2fbc22e5d0f775f2e848e7004fe
SHA256 55bc702d0f53bae786546193da6740f2bfc7999f03ebc7b7be76baf16a95ebd9
SHA512 67386103d2714077485318d6e48443b5459193b33c2ac4bd58cec08d5e05a7b6e39b18da5550d3ee192b397fa5a7818c0a92636dfce957c93f91b3355e0ca0ff

memory/2288-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2876-20-0x00000000021D0000-0x0000000002272000-memory.dmp

memory/1320-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1320-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1320-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 0bf5dcd55d1bf70c75c40bec9e679d78
SHA1 bb06303922c337e33988dd59f72621a4f73dcc52
SHA256 f30da7f83c68d205f0ed7c388c627da4991377ce013b897daa67088309d0c0d1
SHA512 fa725d5f17ae4a98e84deba8e891afc2ac77e80347069dc6ef27a0d7b524b364778d609710faa033c6360d63206b11394847058a77384b2586f7066b4f7b287f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 789c4f9e15f2dfc83e691c1b0adb9df3
SHA1 6328e86f30dc8792c911ee3860fb5cfa514937be
SHA256 60dbf7c296e4da0a7121c492e91c63dff784822db3f399b576272a03d7aead77
SHA512 e8c34fa47ffa463aea15f1eb0b0d8fa0f9dff5915ecbc65c82b721651804e40b8220297a8440e2c33ca3ff06f440a95fc59a4c1262c6078c3344459e3438a960

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

memory/1320-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1320-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1320-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1320-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1320-36-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe

MD5 c4522c95d578ae0ce61bb5246e06fad9
SHA1 c4808003b653392e82282f427d2313f2549697fc
SHA256 c358c5e561605d7d093a42bf56ff6e7e0e0b90bfe06896dde5162e7215278fa6
SHA512 81e207793d553731d32a5e1fae82aaf17e55cebf6567b4caaac6592b670b6e5a5d1543af7f147744b8309cd357d116d1df49df8078f083320757fc7b35f73047

memory/1320-45-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe

MD5 081abf7827e6bbdf42f3df0fe751d40f
SHA1 597be0cc3c2b541e61b84ef1e772e7d60387dfd3
SHA256 98785ba14bf41a1b043d2a3f27a7f40b3efbe58af4e0167394f867d6559c59c9
SHA512 0699b2ea49a74ea31772c21c967f999cd03af9ba49b55bf0e5a7c439a02dd7bb91ae5d90ef1c0eacf8a2b8765fd81d2a6f186ed7ca72f832ba2841afe5b36155

memory/3860-48-0x00000000005B0000-0x00000000005FB000-memory.dmp

memory/1884-52-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1884-53-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe

MD5 80466d1e3c1a8d321262938f6c86178b
SHA1 d735dd52915df87857efbd6c323fb327e6198f96
SHA256 25c9c2a23350fb899a793a24cdb32d971f33676b303ff25de2f8edd5c89dc0ba
SHA512 3825a00eda5e91a859f95de28755036dbd3c67f3d004cab2094be34fce71de7164a2a11581445b2c5c7dc206156d3d4009d3269bd25b95eb2ec28fa7d2ea4312

memory/1884-49-0x0000000000400000-0x000000000065E000-memory.dmp

memory/3860-47-0x0000000000750000-0x0000000000850000-memory.dmp

C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe

MD5 43e8dcdf963318ec99324c8913783811
SHA1 59b47c2b52458f57d1b7360bc581493bbe639352
SHA256 a3f2c541cda7b170163b241505c6f86d03c3ab279c2881caa0ff837b03a7af4f
SHA512 4c3b5085c59c1c6f1858e619c6032a735196c604af5e7687986a5d0366b62a7e6380bf17fb8034e7df843f4b67bd170962bbabb049fccd21c6defd93ba697be3

memory/1320-63-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe

MD5 0c19c644888b16a4df5076f73b27916e
SHA1 76071db49d5c2f8ad81bd5d4a5803fe4e201502e
SHA256 9ce896dfc21f5a1f92439553ce1b419f34e684321e1864b52f6fd73c8d533014
SHA512 560ce9f62dc12a8ce34f9c6cf6e54d436e35b8855c9d5fa8c41b6164ed8870b249678ec15d3bc0ecd9348fc0eb9e25b0b9c6db21021bfe4d15de1d9a43fd9e88

memory/2196-67-0x0000000000400000-0x0000000000406000-memory.dmp

memory/4012-70-0x00000000001F0000-0x00000000001F4000-memory.dmp

memory/2196-74-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 334373b5bdd0f5e9896cc72c810ab441
SHA1 c10ece55d561b6753bb78e89a4d74b2f4954aedf
SHA256 886172f58a393b58952d9e8423812eae1d78987f8f2dd89f07dec8e2fe7fccc6
SHA512 3673a099787d5369fd035c742ab112e2a88379758902b17a015a5374c7282c61b8bbc0f0e387f78a43ab7f1a7222e5c1158bf0e399f3f1e2271fc436065ae9c9

memory/2196-72-0x0000000000400000-0x0000000000406000-memory.dmp

memory/4012-68-0x0000000000910000-0x0000000000A10000-memory.dmp

C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe

MD5 9a8f5656d62d3fc8fe93a71bd3f98b6e
SHA1 746353f9c68752150cc2d9a8c5f76ba347d08b96
SHA256 38b519820e2c99239fdab16a36c9045f62d24bcb436dc3b924df8f0a5fa54e12
SHA512 dc3c490695e8a1899ecb776a0769ce8f9877a2400076c7caef742388ede8746b99e1d555d402216cee6dbfbdaee7a605df1fb0f9e548a6c19932cd7ad063b9eb

memory/1884-77-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/3040-91-0x00000000009C0000-0x0000000000AC0000-memory.dmp

memory/2920-116-0x0000000000980000-0x0000000000A80000-memory.dmp

memory/3616-121-0x0000000000410000-0x00000000004D5000-memory.dmp

memory/4884-143-0x00000000007F0000-0x00000000008F0000-memory.dmp

memory/1636-170-0x0000000000B80000-0x0000000000C80000-memory.dmp