Malware Analysis Report

2025-08-10 18:25

Sample ID 240115-fh2x6aaff2
Target 6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e
SHA256 6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e
Tags
djvu vidar discovery persistence ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e

Threat Level: Known bad

The file 6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e was found to be: Known bad.

Malicious Activity Summary

djvu vidar discovery persistence ransomware stealer

Detected Djvu ransomware

Vidar

Djvu Ransomware

Detect Vidar Stealer

Downloads MZ/PE file

Loads dropped DLL

Modifies file permissions

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:53

Reported

2024-01-15 04:58

Platform

win7-20231215-en

Max time kernel

297s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\abf57921-7c74-4723-be80-40b0f03c9352\\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2472 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2472 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2472 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2472 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2472 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2472 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2472 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2472 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2472 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2472 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2452 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Windows\SysWOW64\icacls.exe
PID 2452 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Windows\SysWOW64\icacls.exe
PID 2452 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Windows\SysWOW64\icacls.exe
PID 2452 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Windows\SysWOW64\icacls.exe
PID 2452 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2452 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2452 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2452 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2136 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2136 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2136 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2136 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2136 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2136 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2136 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2136 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2136 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2136 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2136 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 528 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe
PID 528 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe
PID 528 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe
PID 528 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe
PID 1808 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe
PID 1808 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe
PID 1808 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe
PID 1808 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe
PID 1808 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe
PID 1808 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe
PID 1808 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe
PID 1808 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe
PID 1808 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe
PID 1808 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe
PID 1808 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe
PID 2568 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2568 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2568 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2568 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe

"C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe"

C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe

"C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\abf57921-7c74-4723-be80-40b0f03c9352" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe

"C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe

"C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe

"C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe"

C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe

"C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1428

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 zexeq.com udp
KR 211.181.24.133:80 zexeq.com tcp
CO 186.147.159.149:80 brusuax.com tcp
KR 211.181.24.133:80 zexeq.com tcp
KR 211.181.24.133:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
KR 211.181.24.133:80 zexeq.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
KR 211.181.24.133:80 zexeq.com tcp

Files

memory/2472-0-0x0000000000300000-0x0000000000391000-memory.dmp

memory/2472-1-0x0000000000300000-0x0000000000391000-memory.dmp

memory/2452-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2472-3-0x0000000002180000-0x000000000229B000-memory.dmp

memory/2452-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2452-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2452-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\abf57921-7c74-4723-be80-40b0f03c9352\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe

MD5 6e1ad02bf816694f51cee197284676d7
SHA1 d77d8bfef363dac6948ffd59041520e177884b42
SHA256 6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e
SHA512 4a29311f123e27773287264f82bf913b0a4cbc4424aae0c3d3bd4315f3b6a280f03ef1d1bc76e920238a66aa90b49d14eb3ed6804f0450491546d093ea47bab4

memory/2136-27-0x0000000000B60000-0x0000000000BF1000-memory.dmp

memory/2452-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2136-29-0x0000000000B60000-0x0000000000BF1000-memory.dmp

memory/528-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/528-35-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 9beb1dc135d2bf40a29e531f13f1d2e4
SHA1 01362de25af802fe5205210dcc819972ef93b7cf
SHA256 b0e867b73a4fe868952af35099e5fe88d5b56eddb9bacbdc6ae650220dce3854
SHA512 53240d976349a22e5ce8ee9d5ab0e7c6836e74cb3bb0b97c3fd47184a14e89a629d74db381d388c3259fd3429cd9e79fc8880472e0614a1a6f8853e41d01eb40

C:\Users\Admin\AppData\Local\Temp\CabB0F7.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d01450b6a732dd95ed5185181aaa715
SHA1 55a853361e26d3e915622c51c550beead21d0b03
SHA256 63cd63d026b88826eac3ca6fe367d8d5dbc42fd2856b0e9bf44040b0a7d86916
SHA512 32ff6b0ca126fe77c7864e732624191556e901db4062b891d7428da6936527ebad8b73a646432fb6698b7747299ecc462385440b95be4156865150d7341b4b83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fe94f21ff90dc87f99969de124b03ee7
SHA1 b51f17060e14403927337b27cba6d0a57adcdb53
SHA256 8188c5bcbb7eddd139c1be81d7a9b81732f4bc765c068870e31210e0bae3343d
SHA512 d0923c8b7b072ee46ad967e8c45f0b5d0fd8062968dd586c49f90537aea40dfcb49adb0ca1a19d097b97aeb3b9271c751d1d9ea0b7808c64ab97ff857af40230

memory/528-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/528-49-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe

MD5 c4070da9f9b0581171af16e681ccdff8
SHA1 3fb4182921fdc3acd7873ebe113ac5522585312a
SHA256 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512 c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427

memory/1808-64-0x0000000000540000-0x0000000000640000-memory.dmp

memory/2568-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1808-66-0x0000000000230000-0x000000000027B000-memory.dmp

memory/2568-67-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2568-70-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2568-72-0x0000000000400000-0x000000000065E000-memory.dmp

memory/528-71-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarDB14.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b9d2781cd117dd292cd615ac054afbf
SHA1 12bca71a5adfc005d9097c7ebac021ae0c656978
SHA256 678257e103c879d50e9303cb57b992ace2c26d26a4aad5c45e7c5119747ab61d
SHA512 b48291d0970fa4545525eefb2b5561e1a0783bbc45a3b920874162019564e118d275e87e157d6d9138c71bd04830b6d4f0cdde578414e4cd908907c09757cb33

memory/2568-171-0x0000000000400000-0x000000000065E000-memory.dmp

memory/528-195-0x0000000000400000-0x0000000000537000-memory.dmp

memory/528-197-0x0000000000400000-0x0000000000537000-memory.dmp

memory/528-198-0x0000000000400000-0x0000000000537000-memory.dmp

memory/528-199-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2568-200-0x0000000000400000-0x000000000065E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:53

Reported

2024-01-15 04:58

Platform

win10-20231215-en

Max time kernel

299s

Max time network

307s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\609fa6bd-59af-4c0d-8b22-38c39690a586\\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4372 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 4372 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 4372 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 4372 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 4372 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 4372 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 4372 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 4372 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 4372 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 4372 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 4828 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Windows\SysWOW64\icacls.exe
PID 4828 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Windows\SysWOW64\icacls.exe
PID 4828 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Windows\SysWOW64\icacls.exe
PID 4828 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 4828 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 4828 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2928 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2928 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2928 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2928 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2928 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2928 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2928 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2928 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2928 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 2928 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
PID 656 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe
PID 656 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe
PID 656 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe
PID 4168 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe
PID 4168 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe
PID 4168 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe
PID 4168 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe
PID 4168 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe
PID 4168 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe
PID 4168 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe
PID 4168 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe
PID 4168 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe
PID 4168 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe

"C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe"

C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe

"C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\609fa6bd-59af-4c0d-8b22-38c39690a586" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe

"C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe

"C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe

"C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe"

C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe

"C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1908

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 zexeq.com udp
CO 186.147.159.149:80 brusuax.com tcp
ET 196.188.169.138:80 zexeq.com tcp
US 8.8.8.8:53 149.159.147.186.in-addr.arpa udp
US 8.8.8.8:53 138.169.188.196.in-addr.arpa udp
ET 196.188.169.138:80 zexeq.com tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 196.0.202.116.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
ET 196.188.169.138:80 zexeq.com tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
ET 196.188.169.138:80 zexeq.com tcp
ET 196.188.169.138:80 zexeq.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/4372-1-0x0000000002530000-0x00000000025CE000-memory.dmp

memory/4372-2-0x00000000025D0000-0x00000000026EB000-memory.dmp

memory/4828-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4828-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4828-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4828-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\609fa6bd-59af-4c0d-8b22-38c39690a586\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe

MD5 6e1ad02bf816694f51cee197284676d7
SHA1 d77d8bfef363dac6948ffd59041520e177884b42
SHA256 6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e
SHA512 4a29311f123e27773287264f82bf913b0a4cbc4424aae0c3d3bd4315f3b6a280f03ef1d1bc76e920238a66aa90b49d14eb3ed6804f0450491546d093ea47bab4

memory/4828-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2928-20-0x00000000024B0000-0x000000000254E000-memory.dmp

memory/656-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/656-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/656-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 29894420414aa249f11bf24abbe386af
SHA1 1bc7c7de6768ad408c07732d1a58d30389332cce
SHA256 e2350b4f45ed79c77890ad2e4e6c42037d78c3e5b86007c4b87e8d2ed4cc62be
SHA512 4c545c46f86f6bf5f05d56a2cc8486f1cb48410d7ba7b47145b2f09ac4d2b71b7c346f0cf711ba836877f6464f01c8b152aef84dff9938e7788231230126083d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a80c989f02c6438c57ff08ace0bcc76b
SHA1 49408336eb66ed1d6b0e01da18535f26a3ca4ff6
SHA256 8b192448875fbc304724beea1d08cf0d9f34bae2e721305f09682fb29cea4f1b
SHA512 d04a0849ab40572573c3324fa769bbfc74a65f7b42c5a40785d1a52d85a27cef76e1ed0206da252647e5be02d1f5f9b4286ed1311cfce6ad1d7c078721955c28

memory/656-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/656-30-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe

MD5 5d559f4ba8fedb485128d9389b778296
SHA1 aff6e3e6db266f0138081e18ffbd477a6165a418
SHA256 f4dbc0a7903fd76a8a774a4d7651890626dc7b6dc359401ee0c605d5316c758c
SHA512 6b4b2f9374d0ba4b8bbad3ea91adec13323acb359cba5a23d914bb9e5ded0f1f27c6fc23342170c6250bb469655e0660d5dde8c03db5705dfab52555bfeadc36

C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe

MD5 58d27cdb2dd179af830b8f913fb0eb13
SHA1 668899ba8d286f36757f69ac1ef6cb89b3794479
SHA256 4bff957a94d3ec4efb8b07969a1e82dc9abbc19c897d3cd8def3d4a11ce300ed
SHA512 cd220f57394c5660b5c01123ce5fc269c1a6afb7f34081136469d2aa4b49435c3f962d34b69bb3169cb864f745160d032896c9a0d699386a5c39ee18b0129c01

memory/4168-40-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/4132-39-0x0000000000400000-0x000000000065E000-memory.dmp

memory/656-42-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4168-44-0x0000000000530000-0x000000000057B000-memory.dmp

C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe

MD5 c4070da9f9b0581171af16e681ccdff8
SHA1 3fb4182921fdc3acd7873ebe113ac5522585312a
SHA256 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512 c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427

memory/4132-45-0x0000000000400000-0x000000000065E000-memory.dmp

memory/4132-46-0x0000000000400000-0x000000000065E000-memory.dmp

memory/4132-51-0x0000000000400000-0x000000000065E000-memory.dmp

memory/656-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/656-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/656-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/656-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4168-59-0x0000000000530000-0x000000000057B000-memory.dmp