Analysis Overview
SHA256
4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b
Threat Level: Known bad
The file 4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b was found to be: Known bad.
Malicious Activity Summary
Djvu Ransomware
Detected Djvu ransomware
Vidar
Detect Vidar Stealer
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:50
Reported
2024-01-15 04:55
Platform
win7-20231215-en
Max time kernel
300s
Max time network
156s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c684e268-3cb5-43e3-8d44-f2ae6f69bfb0\\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
"C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe"
C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
"C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c684e268-3cb5-43e3-8d44-f2ae6f69bfb0" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
"C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
"C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe
"C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe"
C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe
"C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {8B6B2ECB-6370-4A3C-9FED-C99847B1F26E} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| KR | 175.120.254.9:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| MX | 187.209.217.243:80 | habrafa.com | tcp |
| MX | 187.209.217.243:80 | habrafa.com | tcp |
Files
memory/2520-0-0x00000000002B0000-0x0000000000341000-memory.dmp
memory/2520-1-0x00000000002B0000-0x0000000000341000-memory.dmp
memory/2520-2-0x0000000001E30000-0x0000000001F4B000-memory.dmp
memory/2080-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2080-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2080-7-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2080-8-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\c684e268-3cb5-43e3-8d44-f2ae6f69bfb0\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
| MD5 | 6f83cf92ac13d4f982229e5907dd66d8 |
| SHA1 | 2d97ea6768afa98cd1d8ba26435f69750b024729 |
| SHA256 | 4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b |
| SHA512 | 9c9e8cc5b718877934429917cf3a200900498462eda756a6567509b7e49635512b867228244a0a863f54130bf8218f67dc037fcaf6adcb1e28002d76368e6e32 |
memory/2732-27-0x00000000002C0000-0x0000000000351000-memory.dmp
memory/2080-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2732-29-0x00000000002C0000-0x0000000000351000-memory.dmp
memory/2676-34-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2732-35-0x00000000002C0000-0x0000000000351000-memory.dmp
memory/2676-36-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | bdb53c4bb86031a4bd2b0496d7a34b9b |
| SHA1 | 6bd7906b423370c4e40b5e28ff6255f8a2e0453f |
| SHA256 | 6ee1f8c0cca2b16598741fa3c9d046bda952d5e70558391584960bd74da24114 |
| SHA512 | 6055e638c53bdbe203e7bfeeac65bc0d3369e888eacd9899dd76f245ff5528a9f423af3e2333d74537fe231a1233b2a17cf002d701cd924acf553df39caf8050 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3251dfddf14c93fba31b02b9ad962048 |
| SHA1 | c59021aa0c3d4e4ca7e28dae33224819174ee338 |
| SHA256 | ae4510740783cf24770ded8cd3be16f7ed2c157a6614c940f64e5a75d1a7e57d |
| SHA512 | 6aa646da18d49f3179d77feb637ab272cfa1c2c2c6b57516dc3cdbe29f4979dd0deb62a66ee19b49722517daf0bb8bf94b4b56b0f23cbbed3edc3e77861a7f6e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 0cd9af3c51d9e32a2ec7a8524b34b870 |
| SHA1 | b4100571f2715642adb9d58e56dcf5d09ae065cf |
| SHA256 | ce3e67b690fe39c7b9962a49dc9192b370b2a2c32cff485c2627b8b72f053de5 |
| SHA512 | dc4f4b8b63223531c4e7c4cac7eaded726b8ac6b91dbab092d173b17a368a0c6e83c5be9d1de89d178b06130a81481f69dbe44bf91e9ec8f2f909d2025f50fd0 |
C:\Users\Admin\AppData\Local\Temp\Cab6058.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/2676-49-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2676-50-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2676-54-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2676-57-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2676-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2676-58-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2676-69-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1344-78-0x00000000009E2000-0x00000000009F3000-memory.dmp
memory/2156-80-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1344-79-0x0000000000220000-0x0000000000224000-memory.dmp
memory/2156-75-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2156-82-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2092-96-0x0000000000C30000-0x0000000000D30000-memory.dmp
memory/568-99-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2124-119-0x0000000000250000-0x0000000000350000-memory.dmp
memory/2268-142-0x0000000000C30000-0x0000000000D30000-memory.dmp
memory/1980-163-0x0000000000870000-0x0000000000970000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:50
Reported
2024-01-15 04:56
Platform
win10-20231215-en
Max time kernel
297s
Max time network
297s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\481c7f21-ac5d-4aee-9a51-ecfd664acf58\\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
"C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe"
C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
"C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe"
C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
"C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
"C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\481c7f21-ac5d-4aee-9a51-ecfd664acf58" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe
"C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe"
C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe
"C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1912
C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe
"C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe
"C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| KR | 123.140.161.243:80 | brusuax.com | tcp |
| UY | 167.61.128.19:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 243.161.140.123.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.128.61.167.in-addr.arpa | udp |
| KR | 123.140.161.243:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.0.202.116.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
memory/3964-4-0x0000000002280000-0x000000000239B000-memory.dmp
memory/4380-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4380-6-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3964-3-0x00000000021D0000-0x0000000002270000-memory.dmp
memory/4380-2-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4380-1-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\481c7f21-ac5d-4aee-9a51-ecfd664acf58\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
| MD5 | 68c6dc4bb98af508ea927973c5ae1f18 |
| SHA1 | ca81b47161aa74bc8cc635aedf7a7d2b7cd030ed |
| SHA256 | ffdb53d1a7b69bd2446cc68e43d2ef550087233baaf7e6fcbd38bf636ea2c97c |
| SHA512 | fd780c41c06ca479bf534f72b796ce52f5e79231e28476cae66411da9822d6315b43393f99eac283c744f69f1136ccc2e5eea20ae9999d91fcb0743b93393c0e |
memory/2208-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2208-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2208-23-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | f9820f1050240d3021014efb42219838 |
| SHA1 | c5defb15a3cdf647632cc8625bd0272fce8cfff8 |
| SHA256 | 1035557e733a31dedccc5d68cb68367f11325673022271d8c182f1478965534d |
| SHA512 | 8f719f2e8cc6a507bf7d584511c92bb77e6df2168b4fa873cd06956d091271cdb69970eb4bc906bf0d4e49e7ebf24dd84b22369bc4f6037cdb7c372921e0c43c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 8425c2cef7881bb733698b1fa063a9b1 |
| SHA1 | 2d326cdd80461c89b63107aafeb2d12c2b7c5ed4 |
| SHA256 | 6052c2033ea485747a9d906774377480aa2d85fe53b578bdc23f37972615589c |
| SHA512 | 1168d0cfb1d10632c32acf8f71a847cb7749fa3f1395bde3a55ea95b9953cf8223b2bbb71f12f33242e1436bc6cfbb3c5b73f8de91738a38a409aa50b9652e27 |
memory/392-20-0x0000000000530000-0x00000000005C7000-memory.dmp
memory/2208-30-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2208-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4380-17-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2208-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2208-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2208-34-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe
| MD5 | b223eb351c231205579ab6b61e6b94fd |
| SHA1 | 5e83d6467348d00882707ed3baf54dd2673dad1c |
| SHA256 | 85dbb98e4407e2bf45898c3b7c2fb1fcf7a956a3a215743f30e1b34cf0fef3bc |
| SHA512 | 16ebfc482eb58e2b4090238c5224d554dfcb3bb7658e2216ba0c407e3643dd4f38285e963a91db7c005bf965863cd93c8360b256b833cfdad2176feb532d4ccb |
C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe
| MD5 | aadbd6db48fbae01b6e75743bc391a5c |
| SHA1 | 7581ab5c52ffb9a5c08806cb1b008502056834a7 |
| SHA256 | 63aef04f516b8815d7b5cc18d6b41554f0f5aee68c7ee1822fe3951b1b7187a1 |
| SHA512 | e1a20e288810a31973b9d050b884fa0ac7362443b723625ddc7fea97a51b53124758d06ab883eeba40e2594f3ab242b48ba83554c06b81e513cf429486d2bda8 |
memory/3608-50-0x00000000005C0000-0x000000000060B000-memory.dmp
memory/4496-52-0x0000000000400000-0x000000000065E000-memory.dmp
memory/4496-51-0x0000000000400000-0x000000000065E000-memory.dmp
memory/3608-49-0x0000000000620000-0x0000000000720000-memory.dmp
memory/4496-46-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe
| MD5 | d08e8f7e9b683a277f35f956460a7f0f |
| SHA1 | 39f6f14c5e004efe65e42a6c85f6f5810ef6c0e3 |
| SHA256 | 6abf8996220322e769a32b379e1a7d01023d56fd5a28a70c12d37bc74e8e0268 |
| SHA512 | a3522d216fd6efa3f2dde539d9f8df5e7c01c6ab5411a874d245e49cc646d4a11a90949b76549e6ba4c1c744e4ead1aa60a0e5901981c7ce016058a01c430200 |
memory/2208-54-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe
| MD5 | cf4572d028de79f7c1065ecfddf3bbc8 |
| SHA1 | 80c81785fc3b1a8cd65557a24be1f28e31e01709 |
| SHA256 | c9dde988a40e970985fa1fb9b7290dbf660183671beeb2283589d25a2e103f1e |
| SHA512 | bb5f17d4b89432e882e15aca5bf53595597f2aab0ccc3e3de6e0e44f6ea2ac2b869c447b01b6058a5e0573b65b240515d5e1c4e57dd180e4a8033eaa0a32260f |
C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe
| MD5 | 9b68e88a96e9bd56293f4c8b39314178 |
| SHA1 | a510f7c3d8783d7b8c1335d648cabe70db306840 |
| SHA256 | 73e41876c3fdb962cd993c53d72b055fd7554669bfa8a9ed0de2621cf92f6052 |
| SHA512 | 181322e7bb160f4a6945b5cbc820e39f1ae29e84b9b60bd64e942d9f281f4599e709716bf80ec54b6c39f7f4e3d6d28ec321970ba28617af8027189951eab513 |
memory/2208-63-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3964-66-0x0000000002280000-0x000000000239B000-memory.dmp
memory/4496-67-0x0000000000400000-0x000000000065E000-memory.dmp
memory/4956-74-0x0000000000879000-0x000000000088A000-memory.dmp
memory/4956-77-0x0000000000810000-0x0000000000814000-memory.dmp
memory/4812-79-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 413be23c0c3b8d82d5c6ba901be6025a |
| SHA1 | 1dcbb509a094e832eb1851f4167dffdce8a8206f |
| SHA256 | d7d0b766719ab9f192026d7bc2113a4e27648b07e8e274445b225545b57009c1 |
| SHA512 | c709e092b4ef5c9ec347a3386bb0db03efed1226805c5a5e8d22587a9ce1217998246ae72c8d4f598da285685919db626e882e4dedbbb269a1921e462cf48a8b |
memory/4812-76-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe
| MD5 | dce34ccd95d49bdcf51fb7197b2b31df |
| SHA1 | 5cded5b4c8d8841a7841bd18b326057cebe9c49a |
| SHA256 | ccb892eb37e550e3f37adb6a5c0b92b1eede723849119fbf1cf8a32acee6085b |
| SHA512 | ce98019f279ac2eebb23e79d80e6ec0f298d609872b1ecfef27c1b22bee664bcc72e7770a681afaeaf0984d38474e7ad9b200a87448f298e5b200cc3b67fc1db |
memory/4812-71-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | c9dd4ca6c5c1546b84baddd9cdae5e2e |
| SHA1 | b99b7ef16c624198ed897e49dc8a32b9712f95fa |
| SHA256 | 8d5f08c10710f2e7911ef2f6d841810d8bfb498f0ec94935d2434113a983bdb4 |
| SHA512 | 2734158f2fbb213f4abfe0c777cc5a6036baa71683f55e8d8f142d0b29b1e7fb895be2d8166a753e1069ebbdc4573183ed6d9653b28396d5705b588e4afcb7e2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | d920066e6c8cbb4281cf45b0e1ac4134 |
| SHA1 | 3bcf903dfac0f5ef6b5cd5e4c6a7e43e8cd1f4e4 |
| SHA256 | f35c83a16eea9da526472d30e4075443134876b979bd3ab22aae89158e999fb3 |
| SHA512 | 68e6dd347de535b1d8e82fe784ca31ea71e3f35b8348caa4f1cb2a472543d8b70b1527de315a212a6d5bd00cc24a4dcbe157f11321b31223cbfbcb37f2b37b95 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/4308-102-0x000000000092A000-0x000000000093A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 06e2d3d1ff70826a19b9126473cd3b2d |
| SHA1 | 9a673b489ffb097ad3f9807e5975427857302e67 |
| SHA256 | 7d11d5a5e60feba709e691f4399b833fafb20dffd6ca21ea6bc9790f25341906 |
| SHA512 | 0d6b85dc7b895c499e697636bf020e301fe3adedbbed0371fe875887042902871c9fc9a49c3f6a0f1ae1319cbe35a19d3b5f47369821f2f69bb0eeae33748505 |
memory/1020-127-0x0000000000410000-0x00000000004D5000-memory.dmp
memory/96-124-0x0000000000AAE000-0x0000000000ABE000-memory.dmp
memory/3628-151-0x0000000000940000-0x0000000000A40000-memory.dmp
memory/3668-178-0x0000000000B10000-0x0000000000C10000-memory.dmp