Malware Analysis Report

2025-08-10 18:25

Sample ID 240115-fg975safd3
Target 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7
SHA256 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7
Tags
djvu vidar discovery persistence ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7

Threat Level: Known bad

The file 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7 was found to be: Known bad.

Malicious Activity Summary

djvu vidar discovery persistence ransomware stealer

Detected Djvu ransomware

Vidar

Djvu Ransomware

Detect Vidar Stealer

Downloads MZ/PE file

Modifies file permissions

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:51

Reported

2024-01-15 04:57

Platform

win7-20231215-en

Max time kernel

294s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7170ac16-fcf1-4194-beae-248cec9dca22\\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 1936 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 1936 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 1936 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 1936 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 1936 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 1936 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 1936 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 1936 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 1936 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 1936 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 2756 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Windows\SysWOW64\icacls.exe
PID 2756 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Windows\SysWOW64\icacls.exe
PID 2756 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Windows\SysWOW64\icacls.exe
PID 2756 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Windows\SysWOW64\icacls.exe
PID 2756 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 2756 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 2756 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 2756 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 2480 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 2480 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 2480 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 2480 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 2480 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 2480 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 2480 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 2480 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 2480 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 2480 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 2480 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 2604 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe
PID 2604 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe
PID 2604 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe
PID 2604 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe
PID 2672 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe
PID 2672 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe
PID 2672 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe
PID 2672 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe
PID 2672 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe
PID 2672 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe
PID 2672 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe
PID 2672 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe
PID 2672 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe
PID 2672 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe
PID 2672 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe
PID 268 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 268 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 268 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 268 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe

"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe"

C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe

"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\7170ac16-fcf1-4194-beae-248cec9dca22" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe

"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe

"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe

"C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe"

C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe

"C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 268 -s 1456

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
AR 186.13.17.220:80 brusuax.com tcp
US 8.8.8.8:53 zexeq.com udp
KR 211.181.24.133:80 zexeq.com tcp
KR 211.181.24.133:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
KR 211.181.24.133:80 zexeq.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
KR 211.181.24.133:80 zexeq.com tcp
KR 211.181.24.133:80 zexeq.com tcp

Files

memory/1936-0-0x0000000001CE0000-0x0000000001D72000-memory.dmp

memory/1936-1-0x0000000001CE0000-0x0000000001D72000-memory.dmp

memory/1936-3-0x0000000001D80000-0x0000000001E9B000-memory.dmp

memory/2756-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2756-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1936-7-0x0000000001CE0000-0x0000000001D72000-memory.dmp

memory/2756-8-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2756-9-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\7170ac16-fcf1-4194-beae-248cec9dca22\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe

MD5 cea0a866170628872d7005075d21d53c
SHA1 62e1130b5f8ceac4319411a88f99edd4ec34e7de
SHA256 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7
SHA512 62158e1c7dd966b3ba8af87e5f0d4e012c3267d48fd7dc731c7f7d24fe0cba2921f43cc68c194d3153879f5ac200cf3159a4ff34dc4ffe47b9468290a62fd458

memory/2756-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2480-29-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2480-30-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2604-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2604-36-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 dca61f9c346f08c3bd0c46e09a022cb3
SHA1 223dea0ea360d1ecef95316e66ae818835fcbead
SHA256 274f80a1f36ac39f6ffb750120c1c94de26c7e98bc169d4e9cf7feecc75788c5
SHA512 bc6ec49a04c65540b7d8b0d314994921516644cdcdb5ecf94e3511ded2920fc380dd5af51678af5fec9e3bb9824f0e5d3cbc7fa57b6273ba8518293fe32d5e61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 d9da13bc21ae5d75d0c5d6e57fef7f6f
SHA1 57e5a4e1c2ec5db133c2002aa1cab74c9b8cbee2
SHA256 3b52e259775f247ded30bb1d8e8b8e9b371782e623f85500a41e55ce9c92ab70
SHA512 70e036c2ed4e35e0daef4ba02dee49b3f17f64d79db70b5e6d327063d720ad29774b8365602c1c978a4f235259a26035f9314c209880b778633a9cc2474136d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 659e69a677f70a2a7ba39e08c7e7096b
SHA1 4d44fd5df49d3baa5bdc6c61b5c513152089e1d3
SHA256 a28f564ab24d14258c8620c47206521098090add4e96508c394892280a6f427b
SHA512 44b3a2374accdfdfad171e721d89c4feab6c0bbc793c2836935274c3826c0f854cb80e0c74fba14ca2c05c758caafc1b184d8749ee64a3f049537b61a5ece621

C:\Users\Admin\AppData\Local\Temp\Cab55BE.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2604-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2604-50-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe

MD5 c4070da9f9b0581171af16e681ccdff8
SHA1 3fb4182921fdc3acd7873ebe113ac5522585312a
SHA256 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512 c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427

memory/268-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2672-65-0x00000000008C0000-0x00000000009C0000-memory.dmp

memory/2672-67-0x0000000000230000-0x000000000027B000-memory.dmp

memory/268-68-0x0000000000400000-0x000000000065E000-memory.dmp

memory/268-71-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2604-72-0x0000000000400000-0x0000000000537000-memory.dmp

memory/268-73-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar6C3C.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0fe69a308f7dd4012802ba1e0bbe66d
SHA1 3d33f18c374266151054f7ef7e9b749da9d07c6c
SHA256 b9fce032c9c31ba175ca26c37a84ca6c802159a6e608740d857e11fc9bff3327
SHA512 8a3ce9104c601aaffeb09039c2fb91532077de47f5f867f749553d6aac5acd59adfd40c29d21f384b7de8e9c6c9646b518e612c266b82410e04fa4cad40a9e4b

memory/268-194-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2604-196-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2604-198-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2604-199-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2604-201-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:51

Reported

2024-01-15 04:56

Platform

win10-20231220-en

Max time kernel

51s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f8d1d28d-7452-4c55-b079-47a4da0efcf1\\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 1620 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 1620 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 1620 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 1620 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 1620 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 1620 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 1620 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 1620 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 1620 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 4780 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Windows\SysWOW64\icacls.exe
PID 4780 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Windows\SysWOW64\icacls.exe
PID 4780 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Windows\SysWOW64\icacls.exe
PID 4780 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 4780 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 4780 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 4748 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 4748 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 4748 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 4748 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 4748 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 4748 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 4748 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 4748 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 4748 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 4748 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
PID 1668 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe
PID 1668 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe
PID 1668 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe
PID 1348 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe
PID 1348 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe
PID 1348 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe
PID 1348 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe
PID 1348 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe
PID 1348 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe
PID 1348 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe
PID 1348 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe
PID 1348 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe
PID 1348 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe

"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe"

C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe

"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f8d1d28d-7452-4c55-b079-47a4da0efcf1" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe

"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe

"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe

"C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe"

C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe

"C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1916

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 8.8.8.8:53 zexeq.com udp
KR 211.168.53.110:80 zexeq.com tcp
KR 211.168.53.110:80 zexeq.com tcp
US 8.8.8.8:53 110.53.168.211.in-addr.arpa udp
KR 211.168.53.110:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
KR 211.168.53.110:80 zexeq.com tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 196.0.202.116.in-addr.arpa udp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
KR 211.168.53.110:80 zexeq.com tcp
KR 211.168.53.110:80 zexeq.com tcp

Files

memory/1620-1-0x00000000020C0000-0x000000000215E000-memory.dmp

memory/1620-2-0x0000000002190000-0x00000000022AB000-memory.dmp

memory/4780-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4780-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4780-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4780-3-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\f8d1d28d-7452-4c55-b079-47a4da0efcf1\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe

MD5 53854321deddd90ba43a81b1d7c60712
SHA1 feffadda60ad0b54478f03cb09dd678e65b28d91
SHA256 d09aac0a2ac7b7770940bcfcca21d44370fe72df7a74871d27c6714aebc69c97
SHA512 a13f1722c1c73d80b023cc7c3057bf1724d527c92b72ba952e62fe4c3110885b4cfa85ccfb8f940d65c89debb53de629266e2001c779419ef5db3b8d6e374bcc

memory/4780-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4748-20-0x00000000020E0000-0x0000000002179000-memory.dmp

memory/1668-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1668-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1668-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 89e3600293b1790349601358899b60cb
SHA1 3a37042f9c2fb874ad978828cd87efdf81f1aa74
SHA256 891d0d7b696094e3d1d7c7d773e1cbd5df14da221fb3d8529ef47a7811de2080
SHA512 d4780608fa6cfd23224516ea1b0a0176de7104e7aab9ae38c021cdb49f08ed1b4025ac64727c1112d43937213eb7c6e16dc47e6b174c490aee5293403fa42ce6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 04ca323335976f7ed1b8cf5ebe1ebd7c
SHA1 8dbd4d9a9d0642bcc37b5ea1ed45345bfd828211
SHA256 9190095c14c3ce50346f7f789239f997d06ebc92e3edfcc647e9b40a8317522f
SHA512 b4184ffc47b9e280f1f98316763d709ef97f8670fac1f0804a3f5a802600f07fecb440b97c7d7783813a479efb66aa388c7db6d184673c7a90fde3d2dd3fce07

memory/1668-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1668-30-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe

MD5 c73531e4cc088ed5ec1f8562282ec700
SHA1 3c5f393faeb751597f3d7328130859630300f5fc
SHA256 2e028881839d5820bdeba0b9102bf656798e002cb35b40f63dd776fde8816f67
SHA512 0f6d43d5c27fe7e860b5edc24989e9802191e13bb30628629ec061900fa7f0a60938daa61a3c097e69060357c6537e99b387e610229f809a0c697f9df54d5e8d

memory/4080-39-0x0000000000400000-0x000000000065E000-memory.dmp

memory/4080-45-0x0000000000400000-0x000000000065E000-memory.dmp

memory/4080-44-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1348-43-0x00000000020F0000-0x000000000213B000-memory.dmp

memory/1348-42-0x0000000000610000-0x0000000000710000-memory.dmp

C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe

MD5 2907d24bf4358f06e28ab1586e31a5df
SHA1 5bf51ab4f2d1fe9c0c0d75506da29b5fbdb7e499
SHA256 1ef71558ed1992a6fc85d7171c3a4a370ace0c3dc81561ebb42c66450f835ccf
SHA512 479ed57538a04f4985f8108033f2cf038a1ced379ea480c045e4096d90c346661348f60194be19c39b0f7a0c7facba0fc03f6acfeba83dae31bd51e332f858da

C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe

MD5 ff75f5779e0ddad79a3ef14166bb9630
SHA1 634f0a968b08a70181eb1fff4efb20dbeaa6516c
SHA256 ac15d93f4a5a15aee6640e7dddd0f590ceed9adedca3df1e40fa0f43ec81dc91
SHA512 ee92ff0cef8ebf0ca136d1918f6ed7a9767dbb3fda65615901f6aa8a98c02000599b3bba01fe64a3eb3ffdebdd15494909163362496c38f2ff98f144bd8ab837

memory/1668-47-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4080-51-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1668-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1668-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1668-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1668-57-0x0000000000400000-0x0000000000537000-memory.dmp