Malware Analysis Report

2025-08-10 18:25

Sample ID 240115-fh8eyahfhj
Target 7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668
SHA256 7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668
Tags
djvu vidar discovery persistence ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668

Threat Level: Known bad

The file 7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668 was found to be: Known bad.

Malicious Activity Summary

djvu vidar discovery persistence ransomware stealer

Detected Djvu ransomware

Vidar

Detect Vidar Stealer

Djvu Ransomware

Downloads MZ/PE file

Modifies file permissions

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:53

Reported

2024-01-15 04:58

Platform

win7-20231215-en

Max time kernel

296s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9d530b51-7c10-4fdb-ab63-a2b5b16c0b86\\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2976 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2976 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2976 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2976 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2976 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2976 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2976 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2976 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2976 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2976 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2136 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2136 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2136 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2136 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 1432 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 1432 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 1432 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 1432 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 1432 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 1432 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 1432 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 1432 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 1432 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 1432 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 1432 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2708 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe
PID 2708 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe
PID 2708 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe
PID 2708 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe
PID 2896 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe
PID 2896 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe
PID 2896 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe
PID 2896 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe
PID 2896 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe
PID 2896 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe
PID 2896 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe
PID 2896 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe
PID 2896 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe
PID 2896 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe
PID 2896 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe
PID 1652 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1652 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1652 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1652 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe

"C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe"

C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe

"C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\9d530b51-7c10-4fdb-ab63-a2b5b16c0b86" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe

"C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe

"C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe

"C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe"

C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe

"C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1456

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
KR 211.168.53.110:80 brusuax.com tcp
US 8.8.8.8:53 zexeq.com udp
BG 95.158.162.200:80 zexeq.com tcp
BG 95.158.162.200:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
BG 95.158.162.200:80 zexeq.com tcp
FI 65.109.241.139:443 tcp
BG 95.158.162.200:80 zexeq.com tcp
BG 95.158.162.200:80 zexeq.com tcp

Files

memory/2976-0-0x00000000002B0000-0x0000000000342000-memory.dmp

memory/2976-1-0x00000000002B0000-0x0000000000342000-memory.dmp

memory/2136-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2976-3-0x0000000001DE0000-0x0000000001EFB000-memory.dmp

memory/2136-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2136-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2136-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\9d530b51-7c10-4fdb-ab63-a2b5b16c0b86\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe

MD5 2ef95cac7a29f753ddd6722ad578638b
SHA1 ae4b034b625e18192d3f1e4da6a06c56e9241848
SHA256 7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668
SHA512 08335b9087c9d642935db87223b9a7e6ada2ff9f7a3b4431e7a0200112d11dfe51e0fd0931694a98eba48ee881eefcee37c51bb83892a3b7f9e05b7b38f5d31c

memory/2136-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1432-28-0x0000000000350000-0x00000000003E2000-memory.dmp

memory/1432-29-0x0000000000350000-0x00000000003E2000-memory.dmp

memory/2708-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2708-35-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 ea52eae0b1ac7dc634c6e69553977bb2
SHA1 a5175b2445970384d0a45ea34aadc8fb3978baed
SHA256 8025f9084aeadb1947f27ba37402c2b91aa5e1308112615dfe24806802fdefb7
SHA512 856f0e5202694fbd257ccd224b368b74c4b3782525d82f5b6f12bddc51f6c7159d0335a12115f46e38761fa100ec2ee6e95223beb54c8cedda59eaa11f320b1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7ca6307f3c6d3c642387da9b50996fb4
SHA1 77e6ae6ab6a970e4631f29dc8a9aa821b6c7e8b5
SHA256 0edec2cce9043228dfc3f439bb54181f368c48b5c54b5390e8585d854d423c77
SHA512 61b17213073e42952ff4ba1ee4638269b64235a1dcfe497ec8db34c9a9b24bdd5e8cf0bfd1af747a3a37ffc09296b80501274e7f6507caf5257d9acf56e47205

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81196706f8118da495eaed0213450462
SHA1 4ca806d4fceb33f22c16b7f265f1d45cbf66ee09
SHA256 cb7712bb4bff270e326d90d879b3c08cae006cc0a104c5b1cd1fe75e64dbb859
SHA512 f383223651e389e5da3931ecb33925e13b954c6241506969802144ee9ce7b5447ba7343ed4ff760e9644832c4abb0ab1ed36fc12bfb07f102a8d67b0161f969f

C:\Users\Admin\AppData\Local\Temp\Cab6A38.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2708-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2708-49-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe

MD5 c4070da9f9b0581171af16e681ccdff8
SHA1 3fb4182921fdc3acd7873ebe113ac5522585312a
SHA256 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512 c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427

memory/2708-61-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1652-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1652-68-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2896-64-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2896-71-0x0000000000460000-0x00000000004AB000-memory.dmp

memory/1652-72-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1652-73-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar980C.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2444f211e7d2e7896e276a07a9b60eea
SHA1 4b753eb531fac26dd798d52fc9ff58877d72dd16
SHA256 f2aed7c92bf7d3560676cacac94a35500c3a76ce2b023f0c1feb4b58f57afe9a
SHA512 d553182641e07706565562ed5920a6e779132aec17bc57f9ed24b2c4101bec692cb0cbdb3a88f865f83f5edb0cff640f043c6a784abb0d550f52c886f2154731

memory/1652-194-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2708-197-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2708-199-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2708-200-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2708-201-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:53

Reported

2024-01-15 04:58

Platform

win10-20231220-en

Max time kernel

297s

Max time network

303s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\28ce7fef-f09c-4687-a619-5f0ca079d85e\\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 316 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 316 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 316 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 316 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 316 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 316 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 316 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 316 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 316 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 316 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2684 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Windows\SysWOW64\icacls.exe
PID 2684 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Windows\SysWOW64\icacls.exe
PID 2684 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Windows\SysWOW64\icacls.exe
PID 2684 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2684 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2684 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2860 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2860 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2860 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2860 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2860 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2860 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2860 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2860 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2860 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2860 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
PID 2004 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe
PID 2004 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe
PID 2004 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe
PID 1800 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe
PID 1800 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe
PID 1800 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe
PID 1800 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe
PID 1800 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe
PID 1800 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe
PID 1800 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe
PID 1800 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe
PID 1800 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe
PID 1800 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe

"C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe"

C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe

"C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\28ce7fef-f09c-4687-a619-5f0ca079d85e" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe

"C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe

"C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe

"C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe"

C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe

"C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 1908

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 zexeq.com udp
KR 211.168.53.110:80 zexeq.com tcp
KR 211.181.24.133:80 zexeq.com tcp
US 8.8.8.8:53 110.53.168.211.in-addr.arpa udp
US 8.8.8.8:53 133.24.181.211.in-addr.arpa udp
KR 211.181.24.133:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
KR 211.181.24.133:80 zexeq.com tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 196.0.202.116.in-addr.arpa udp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
KR 211.181.24.133:80 zexeq.com tcp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
KR 211.181.24.133:80 zexeq.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/316-1-0x00000000009D0000-0x0000000000A72000-memory.dmp

memory/2684-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2684-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2684-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2684-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/316-2-0x0000000002300000-0x000000000241B000-memory.dmp

C:\Users\Admin\AppData\Local\28ce7fef-f09c-4687-a619-5f0ca079d85e\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe

MD5 6628eb387c0fb4329dd464a2e690278a
SHA1 fe2a0e08f60b241f8963217d08a985dca531f97c
SHA256 7200c9ba76424154d3164e096234eb5a89e7f02635b8c019b4ca7beb09188bdf
SHA512 ff0112d8805e328c161d7dc4156ffbb4417a8afbcce50b5f5df3fa10a11f33b821369bfdf636a3911358ea4fd60405bbff33f7d61fc795a2b96f97c0e9e55e00

memory/2684-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2860-22-0x00000000008A0000-0x0000000000937000-memory.dmp

memory/2004-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2004-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2004-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 3540b29390984ff8967c0eee238c907a
SHA1 65e1a15c73b1695308f73c154673cde04c201b23
SHA256 a7d25b5295a544a47958707fde8445fbc8d47b3f5670bae304239bc37c9f8d47
SHA512 32cd7ab111b1155398e9ad38f0b0c273106b38b2942900a1c94bb464d26f79607da798da3a8bf7535311288e776e9a362d7c8f4baab2cfcb828cfe5caf307841

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 feecae61d880321dbbd0d32522d4b852
SHA1 ee78bf411a139889dc1a691c4277e0e3e3629f7e
SHA256 c55c8a7bd3391a265396f6f8de0490ca8784803c259dfaccb8ecfa83fa04ad12
SHA512 c94e488487cd21b32be4b964da8f53fb75e0f38df71b58b8f3b391d47d8337207ec8b51c94b9d7178677b48265200366c1db1456ddbe042a80377a6c555bc14a

memory/2004-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2004-29-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe

MD5 a7f4a71c03997e5363d8851d071cf00a
SHA1 881489c07963f9c62d05dec13b8e6b7abadc3a3c
SHA256 6d3943fce8b3da19e36f379a9707a365c9c62c0c6fe706abbc3ff866a248f60b
SHA512 f2a982d98ee350ca3b09841294ff9ee9bb3028d6b7bab230db94ef6143f766d2b6d18814e10565b16978405398e01fd232cc0d9e608f950dbc9ec1d398f66395

memory/1800-41-0x0000000000520000-0x0000000000620000-memory.dmp

memory/1800-44-0x00000000020C0000-0x000000000210B000-memory.dmp

memory/396-43-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe

MD5 ba897519cf035a5d589cd1cc43e88acd
SHA1 0d4320c3e59b679122fbf01ff09ad95ab0ee2d47
SHA256 ebbe00c547df623096cbd2452fdad6345ebb45c4f2f894123dc830b4959861ee
SHA512 fefeff649f0ef23ce3f2f0f93ca6b2e7a535936be3fdc2269e414c1d71032e1984ec556b9f2d28142603caef13f9c759405c16577511c2b25c4d579918c1ee94

memory/396-39-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe

MD5 cac7c1e98cd83b5b9b08e6402801e543
SHA1 c84fc44831b50e3177a7a6d5b96202a91c883b72
SHA256 b405fcbef76f9b3dd0cd40889f9475a978bde4034087dd183f97c5ffd546d4e0
SHA512 75cc29303a2fc0ae78fbad6120ba5cf18eae7af9d3e2b1e31e4a54e189eeb50b03c7e0b358b5b878cee769e5feeb585a7f6a4e00f1a204d58790f690cc19dc24

memory/396-45-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2004-47-0x0000000000400000-0x0000000000537000-memory.dmp

memory/396-51-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2004-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2004-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2004-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2004-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1800-59-0x00000000020C0000-0x000000000210B000-memory.dmp