Malware Analysis Report

2025-08-10 18:25

Sample ID 240115-fgxbaahfek
Target 50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4
SHA256 50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4
Tags
djvu vidar discovery persistence ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4

Threat Level: Known bad

The file 50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4 was found to be: Known bad.

Malicious Activity Summary

djvu vidar discovery persistence ransomware stealer

Detected Djvu ransomware

Detect Vidar Stealer

Vidar

Djvu Ransomware

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Modifies file permissions

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:51

Reported

2024-01-15 04:56

Platform

win10-20231220-en

Max time kernel

296s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6216d487-2582-49fc-b1b3-5f6ee91fa9b6\\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2156 set thread context of 796 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1780 set thread context of 3044 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2236 set thread context of 3768 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe
PID 1992 set thread context of 4980 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe
PID 600 set thread context of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4012 set thread context of 4452 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4996 set thread context of 2216 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2300 set thread context of 4704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2156 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2156 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2156 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2156 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2156 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2156 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2156 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2156 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2156 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 796 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Windows\SysWOW64\icacls.exe
PID 796 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Windows\SysWOW64\icacls.exe
PID 796 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Windows\SysWOW64\icacls.exe
PID 796 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 796 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 796 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1780 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1780 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1780 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1780 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1780 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1780 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1780 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1780 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1780 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1780 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 3044 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe
PID 3044 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe
PID 3044 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe
PID 2236 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe
PID 2236 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe
PID 2236 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe
PID 2236 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe
PID 2236 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe
PID 2236 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe
PID 2236 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe
PID 2236 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe
PID 2236 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe
PID 2236 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe
PID 3044 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe
PID 3044 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe
PID 3044 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe
PID 1992 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe
PID 1992 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe
PID 1992 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe
PID 1992 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe
PID 1992 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe
PID 1992 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe
PID 1992 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe
PID 1992 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe
PID 1992 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe
PID 4980 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 4980 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 4980 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 600 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 600 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 600 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 600 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 600 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 600 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 600 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 600 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 600 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 872 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe

"C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe"

C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe

"C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\6216d487-2582-49fc-b1b3-5f6ee91fa9b6" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe

"C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe

"C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe

"C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe"

C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe

"C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1888

C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe

"C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe"

C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe

"C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
AR 186.13.17.220:80 habrafa.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
AR 186.13.17.220:80 habrafa.com tcp
US 8.8.8.8:53 220.17.13.186.in-addr.arpa udp
AR 186.13.17.220:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 196.0.202.116.in-addr.arpa udp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/2156-3-0x0000000002290000-0x00000000023AB000-memory.dmp

memory/796-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/796-2-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2156-1-0x0000000002160000-0x00000000021F3000-memory.dmp

memory/796-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/796-5-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\6216d487-2582-49fc-b1b3-5f6ee91fa9b6\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe

MD5 af1965358fd3a51b5d0db70bfdadde14
SHA1 5b448ea833c54dab0ea8b98ec6054614079458d4
SHA256 e861bd7f4625bfa39fbe31cff17f545ad44407f391d9044e7c4cb0255622d63a
SHA512 684b6c4e29742d3198a43554b8007a36f1a9144030ddc0d6faf9c3977b0e271c1e7583188d34e14c3ae27575df174b55f107f0c42ad9e6cdbba4b05ca6458580

memory/3044-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3044-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3044-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1780-20-0x00000000020A0000-0x0000000002142000-memory.dmp

memory/796-17-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 c43dd0502bd646cb1c3501c84c7d78cc
SHA1 c96db4da22324de285a7a946f1613fe27ead8ee1
SHA256 dae88355367286a455ef117028a991c2d3ac3976a73d5cb7bd9d667fca711db3
SHA512 0456a94a4375404158ebca2b9ee24aecc287941b613e7b9bfac157aa498d1d4dfa78b2aca6197ffb3059aeb8ae274a6e56dd5fb5107cd52e47b7b6d026a13542

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 33a26e5d466d17b171015ac71fb4fb0e
SHA1 f24a07900f877f21e0db60016d5d9ceb37872f0c
SHA256 9b36f48f6bbae327f08084a49a3cfc3f75ced04115a14dff51d61638b0a0f816
SHA512 ee7e385f87798b50d27b82c3e963a76d68fbb7870f4ceef8613a606ad203c6c80efc39ab91e4dc818f372288a1ad40686d1364d0080686821086520ddf3837c1

memory/3044-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3044-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3044-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3044-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3044-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3044-38-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe

MD5 dc5e24f3ba423ced375d94a927b2a42f
SHA1 1ccc1bb6b77ba0043b1448b54325afffd7ee9994
SHA256 c4c130a4e1ca30f6e7fbdce150c2c8938ecc398e714c2acaae8b1670dda024ad
SHA512 15ae540fdd181da3853de714a51141e2fafbbd23674847d959132f6ecd59ff28b8946b62e7b802aa6d9f5227b5fc542c1aec8334c0109ce1dac24f68a0d934ac

memory/3768-47-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2236-51-0x0000000000810000-0x000000000085B000-memory.dmp

memory/3768-53-0x0000000000400000-0x000000000065E000-memory.dmp

memory/3768-52-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2236-50-0x0000000000610000-0x0000000000710000-memory.dmp

C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe

MD5 02c889cdf706032270b6962271fd7386
SHA1 d8f0ef6295abd4f225bd0898e7ebdf5592c009d8
SHA256 fdf623f07daa32a8d1cf5237e342cde192f01606ecf04b395945c5b9d0bdfbb4
SHA512 043656b25e5e5d6a8fd877cea4832e1cd73951c98727e8843948d9b504de2ef74a234bfd22b31e294738acc91979c7e6490da3d4fc9e095b159c4257f45cd372

C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build2.exe

MD5 e2699964967afa8b1dcf272204adfa37
SHA1 7ebce94f85306236ad9676df8003e94cfe4e5e26
SHA256 6700f017b46053326b388a082e1090725972221d72dad7a4a811c418a8fdfdd7
SHA512 13ec99c117695af85edd13f59f204a1e9db79bfb3510178931d549d96dee179fe6f6fb8aa20e5eb2602d03b8db17fbef4d1282738f7240fd522b7d80da7ffa99

memory/3044-63-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\1943eebf-c9dc-4cdc-851d-75eff6b2162c\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/3768-66-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2236-69-0x0000000000810000-0x000000000085B000-memory.dmp

memory/4980-71-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1992-72-0x00000000008D0000-0x00000000009D0000-memory.dmp

memory/1992-74-0x0000000002290000-0x0000000002294000-memory.dmp

memory/4980-76-0x0000000000400000-0x0000000000406000-memory.dmp

memory/4980-78-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 c7cdde7b95982122372d55969692d371
SHA1 908f29b14ac7445f7824b2ad84568c9e2f475c59
SHA256 d10e85d0ab29eec15ce35439be43e890f621a6cb472859bef790adcc95a916c3
SHA512 cd224be05ae7cd3b0445ff031ad51418b0cbefb9cd52dcbdb2f740a5ed46d9cd38a299aa0b436079b34d2d770c25e51109dcae9bd51be68baa4e24c60f8ef05b

memory/600-96-0x0000000000AB0000-0x0000000000BB0000-memory.dmp

memory/4012-121-0x0000000000B00000-0x0000000000C00000-memory.dmp

memory/4996-145-0x0000000000AF0000-0x0000000000BF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 74ae9689cb04bde426e036319feeb49b
SHA1 b932fd3571f6113cacf1e5eb2b3453a05887963c
SHA256 b59f5c8dc70d0092f4257c3e13745f67e6324edeee709eff32336d3c93bca180
SHA512 642d69ab7ef11418b9d97cfa8882ba38ba5c08fcec428a8a758b9de8ee1d576b4d1fe1a2ca93dc4f1f5e6a8eba8c21f7309975c0c43033350d51e5efe7fcafca

memory/2300-176-0x0000000000B20000-0x0000000000C20000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 b79370edc96b114ffc49aff9b96a00df
SHA1 65ea2b9ed8e05a8bb6227b91882d1265383f8f97
SHA256 09dd739d19c7219d85312bf8657c88322bd8c9b6ca4eb3188c5f8fb72dbfd602
SHA512 c1e296c0e48f83ba411564e43d6e3752a06f90c97a4c55ec22e60ccd0da3e6e5c393a0431a99b5926bd71f572600bc4d125eb93ecaf114b0e0a71aa8e1616b91

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:51

Reported

2024-01-15 04:56

Platform

win7-20231215-en

Max time kernel

296s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b50f4af1-dd35-468c-bcfd-d656faf782b5\\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1992 set thread context of 1700 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2820 set thread context of 2780 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2932 set thread context of 2724 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe
PID 2136 set thread context of 2988 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe
PID 3000 set thread context of 2812 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 436 set thread context of 2704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2948 set thread context of 2340 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2120 set thread context of 880 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2436 set thread context of 1856 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1992 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1992 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1992 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1992 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1992 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1992 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1992 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1992 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1992 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1992 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1700 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Windows\SysWOW64\icacls.exe
PID 1700 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Windows\SysWOW64\icacls.exe
PID 1700 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Windows\SysWOW64\icacls.exe
PID 1700 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Windows\SysWOW64\icacls.exe
PID 1700 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1700 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1700 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 1700 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2820 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe
PID 2780 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe
PID 2780 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe
PID 2780 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe
PID 2780 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe
PID 2932 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe
PID 2932 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe
PID 2932 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe
PID 2932 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe
PID 2932 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe
PID 2932 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe
PID 2932 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe
PID 2932 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe
PID 2932 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe
PID 2932 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe
PID 2932 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe
PID 2780 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe
PID 2780 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe
PID 2780 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe
PID 2780 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe
PID 2724 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2724 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2724 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2724 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2136 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe
PID 2136 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe
PID 2136 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe
PID 2136 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe
PID 2136 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe
PID 2136 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe
PID 2136 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe
PID 2136 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe
PID 2136 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe
PID 2136 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe
PID 2988 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe

"C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe"

C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe

"C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\b50f4af1-dd35-468c-bcfd-d656faf782b5" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe

"C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe

"C:\Users\Admin\AppData\Local\Temp\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe

"C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe"

C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe

"C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe"

C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe

"C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1480

C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe

"C:\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {BA8381CB-4DE3-45C1-A5DE-64213CE195AB} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
AR 186.13.17.220:80 habrafa.com tcp
AR 186.13.17.220:80 habrafa.com tcp
AR 186.13.17.220:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp

Files

memory/1992-0-0x0000000000230000-0x00000000002C2000-memory.dmp

memory/1992-1-0x0000000000230000-0x00000000002C2000-memory.dmp

memory/1700-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1992-3-0x00000000004C0000-0x00000000005DB000-memory.dmp

memory/1700-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1700-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1700-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\b50f4af1-dd35-468c-bcfd-d656faf782b5\50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4.exe

MD5 af0965298074ef2eadb8f3d7d6e03128
SHA1 7a5e64c5dde6174f92b3be9dee33f1edddf84e42
SHA256 50750495d27fc93afddfb07574ecad91245b3395e693a632d124196c91b1e9e4
SHA512 5d4d34637cfd131e901f34b6277f184c773d8f7cd2e274e9ea4bd3f20c33620c13f2ddb0e2b6257751311feace67484123b6bfe745eb2c3c3c92e17404ea3e6d

memory/2820-27-0x0000000000510000-0x00000000005A2000-memory.dmp

memory/1700-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2820-29-0x0000000000510000-0x00000000005A2000-memory.dmp

memory/2780-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-35-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 86f9276ce739388ec05647a6f7b087ef
SHA1 58a166bad9b8665ba32647200457fef04a9c450a
SHA256 48c658fcdbab1bb78ea446999c7d2c20c7962d514cd30858898c421fe4f7ce7f
SHA512 3fd469ec04b7c24c32aae6e99ef88f8d7a5b51e57e3fb0b0bbe84c82d6fa136bb2ab6f629d4a2dcc7fbc4425dd19ed9987b4bfa9dc5746fe5958fb87dbad9e97

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56c691112e35f7f57289a1531c371577
SHA1 c5b8fc876ba32b115546f9de1f252542cfbbbf32
SHA256 1685376d9f7dfd752ac5f188138a3de208104577b9b61b930803ca750ca1986a
SHA512 bad210f9b8e5d569a0ec0169035cbe7bdb174f22ba6d0305db392e892a9cf06c2337818329d1962a979d6a0346693cc2ba97c5d243be9f014a3a03694fea6af9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 39c3a132bd7cea68356649c5d5f1cafb
SHA1 6e0fc5c9e3f454567982b896b52dcf807f1834f6
SHA256 78c1154cd230ad92aed698d2b01f3beb5d36fbc067b9d961e2d46fd2e4b2b5ed
SHA512 16518e9527cfd8a5dd2be409f284dd5cd80309f8d68f0498108eb02306a207e7f6efc1b3f50e4752509fb2d36d85e828a87b7d62200d357e6c5864ffa6d42762

C:\Users\Admin\AppData\Local\Temp\Cab498E.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2780-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-57-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build2.exe

MD5 c4070da9f9b0581171af16e681ccdff8
SHA1 3fb4182921fdc3acd7873ebe113ac5522585312a
SHA256 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512 c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427

memory/2724-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2932-72-0x0000000000610000-0x0000000000710000-memory.dmp

memory/2724-75-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2932-74-0x0000000000240000-0x000000000028B000-memory.dmp

memory/2724-78-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2724-79-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar620E.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 430a37e2d8bcf21e8c96d159a7123a14
SHA1 73b1f9e234f8f280bd4188d980edef32d0a370c1
SHA256 d1ac160b476bdf201289213de930561aa26005179a0f6fb5e2ee851e8f004581
SHA512 855e227973e90f59ed4220074cdeed837e5e0a0b57d44e4d25dc65d93b5012800d51e98014790ef30608087ef80a90cce59f5d1ce81c7481b7ec10bfdb298e1c

\Users\Admin\AppData\Local\48d9e432-1123-49da-9b70-c252dcb4cbed\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2780-201-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2136-216-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/2136-218-0x00000000001B0000-0x00000000001B4000-memory.dmp

memory/2988-219-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2988-222-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2988-224-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2988-225-0x0000000000410000-0x0000000000591000-memory.dmp

memory/2724-227-0x0000000000400000-0x000000000065E000-memory.dmp

memory/3000-237-0x00000000008E0000-0x00000000009E0000-memory.dmp

memory/436-266-0x00000000002B0000-0x00000000003B0000-memory.dmp

memory/2948-295-0x0000000000870000-0x0000000000970000-memory.dmp

memory/2120-325-0x0000000000900000-0x0000000000A00000-memory.dmp

memory/880-329-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2436-352-0x0000000000900000-0x0000000000A00000-memory.dmp