Malware Analysis Report

2025-08-10 18:25

Sample ID 240115-fhbe7shffk
Target 5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989
SHA256 5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989
Tags
djvu vidar discovery persistence ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989

Threat Level: Known bad

The file 5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989 was found to be: Known bad.

Malicious Activity Summary

djvu vidar discovery persistence ransomware stealer

Detect Vidar Stealer

Detected Djvu ransomware

Djvu Ransomware

Vidar

Downloads MZ/PE file

Executes dropped EXE

Modifies file permissions

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:51

Reported

2024-01-15 04:57

Platform

win7-20231215-en

Max time kernel

300s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\edc48970-8386-4c1f-8bd6-86a23fcc9bfd\\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2424 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2424 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2424 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2424 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2424 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2424 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2424 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2424 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2424 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2424 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2128 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Windows\SysWOW64\icacls.exe
PID 2128 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Windows\SysWOW64\icacls.exe
PID 2128 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Windows\SysWOW64\icacls.exe
PID 2128 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Windows\SysWOW64\icacls.exe
PID 2128 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2128 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2128 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2128 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2916 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2916 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2916 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2916 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2916 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2916 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2916 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2916 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2916 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2916 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2916 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 2700 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe
PID 2700 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe
PID 2700 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe
PID 2700 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe
PID 796 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe
PID 796 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe
PID 796 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe
PID 796 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe
PID 796 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe
PID 796 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe
PID 796 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe
PID 796 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe
PID 796 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe
PID 796 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe
PID 796 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe
PID 1112 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1112 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1112 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1112 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe

"C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe"

C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe

"C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\edc48970-8386-4c1f-8bd6-86a23fcc9bfd" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe

"C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe

"C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe

"C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe"

C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe

"C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1456

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 zexeq.com udp
KR 211.168.53.110:80 zexeq.com tcp
SA 5.163.230.46:80 brusuax.com tcp
KR 211.168.53.110:80 zexeq.com tcp
KR 211.168.53.110:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
KR 211.168.53.110:80 zexeq.com tcp
KR 211.168.53.110:80 zexeq.com tcp

Files

memory/2424-0-0x0000000000580000-0x0000000000612000-memory.dmp

memory/2128-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2424-1-0x0000000000580000-0x0000000000612000-memory.dmp

memory/2424-4-0x0000000001E00000-0x0000000001F1B000-memory.dmp

memory/2128-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2424-7-0x0000000000580000-0x0000000000612000-memory.dmp

memory/2128-8-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2128-9-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\edc48970-8386-4c1f-8bd6-86a23fcc9bfd\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe

MD5 72fd6329b754dd39cfec917c900abb53
SHA1 fa5e56d102dacecf25547c850e3624b41a85c62b
SHA256 5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989
SHA512 0c3bd337190662d25af61cce7c5f2fd86c72ec7e0d73e9c2a4fc9ff816f0e5d331b881d9548086db9496ff98755791e23a5346e5d5888a8e08b7203e2a62ea55

memory/2128-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2916-28-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2916-30-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2700-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2700-36-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59fc789bb238cbc7ea9a1fa558aa2135
SHA1 214c76eed4e7e41f383922e67bd82913a8b0886f
SHA256 290f8d4d48dea4fc69dd120d151ef84840bfdc234431580223c8218a8eee7aa9
SHA512 42e8980b2a0ac693838c685f67d3f142049d58c93ab38e5206190a6f9d8e828688061b1432b07556d2b63f6bc2dc8a8714fd8dfb14dcac170d17b23b10c68ddc

C:\Users\Admin\AppData\Local\Temp\Cab5F7E.tmp

MD5 73f101cb474d2101e5ef76e684e3bace
SHA1 8d7a75e1d3addd0b2b4b394f25c4f59890bde628
SHA256 0dfa3f44ecad5dd8e55961e9e87f8fdc4227ead46ad0f318ca52190419b49013
SHA512 3a69cfda58907fa7044677dfc2ad77d6bc7377ec93b21651e6bf0367de11bffd1a94111f5b17d6fde3dd3c13999753d389f5300d32f25be6f658a5995b67a95a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 bb1201b2ff981b3808cd3522c73d47c4
SHA1 a945e830bbddcbcc16d06e47cc841cff58836d3b
SHA256 8e54d8a5f3e75478548fbed8bd4a9eb68a56821f0c468699b2ef16e10327559e
SHA512 57cdcafe515066e182fee915bfc9ad0365595b8d5ab3040c8227a7bb552487d196200514bb0e2b29179a44ffa7a9c1f9b55ec30dc606d049cd7985244a854ce2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b4d3c11015eb23850394f9e41a509fd9
SHA1 090d8f05edfe72f0af93678d8c5cccf9c1def122
SHA256 8fa61e82fbf5fb7825776f35265a65ed071c646f7f49e793f1eaf1130f0c0205
SHA512 a837f4dc1bdbfb12ed73b0d2ae7c27c203f20c812599e4b65ad00df2b5baa31e44aca869d55988b1d8fee2d12d2966a3f82eac38447045bf52599bf4a6a312c7

memory/2700-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2700-50-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe

MD5 c4070da9f9b0581171af16e681ccdff8
SHA1 3fb4182921fdc3acd7873ebe113ac5522585312a
SHA256 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512 c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427

memory/796-66-0x00000000001C0000-0x000000000020B000-memory.dmp

memory/796-65-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1112-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1112-68-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2700-71-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1112-73-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1112-72-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar874A.tmp

MD5 58a5a4c467264ca380e8af576aea5fc6
SHA1 b088408b194566e5374f07b6a1def6367248734c
SHA256 a2c25ad847e0839251881e10d61b39a3d6ec151ed82951b121bb77ecb065c021
SHA512 4c4d32117aa43c852d204de4897881dff6589595e73be4b03c332d4d08bf41fae99b3c7f7c4f87f3d078ae1d44486bb009f6d20be763fbd76c399d68595a1ccf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2961270991fb0e5ec63c69726007c84
SHA1 70a97ecec3e431738f9825cd62d3cef45d752f7c
SHA256 dcc92e02cef83ad45ded312a190b4241861107bf8b52ab8c2bff8b9207f3bcec
SHA512 f83c8a6ae486ecf9ec6a00e2f1fc5a709eafbb73a72e015f7e0e474c3c83b7dbafc4f79cf9d38e5ee7580be7fe1e2ef4c64e2e2944661d1159a343a03f9ceb5e

memory/1112-193-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2700-197-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2700-200-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2700-199-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2700-201-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:51

Reported

2024-01-15 04:57

Platform

win10-20231215-en

Max time kernel

298s

Max time network

298s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\dc68dece-be16-4b9f-a710-d0fd190858cb\\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3380 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 3380 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 3380 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 3380 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 3380 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 3380 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 3380 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 3380 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 3380 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 3380 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 3876 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Windows\SysWOW64\icacls.exe
PID 3876 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Windows\SysWOW64\icacls.exe
PID 3876 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Windows\SysWOW64\icacls.exe
PID 3876 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 3876 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 3876 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 364 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 364 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 364 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 364 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 364 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 364 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 364 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 364 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 364 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 364 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
PID 4896 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe
PID 4896 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe
PID 4896 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe
PID 772 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe
PID 772 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe
PID 772 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe
PID 772 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe
PID 772 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe
PID 772 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe
PID 772 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe
PID 772 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe
PID 772 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe
PID 772 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe

"C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe"

C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe

"C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\dc68dece-be16-4b9f-a710-d0fd190858cb" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe

"C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe

"C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe

"C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe"

C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe

"C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1896

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
AR 186.13.17.220:80 brusuax.com tcp
US 8.8.8.8:53 zexeq.com udp
BG 95.158.162.200:80 zexeq.com tcp
US 8.8.8.8:53 220.17.13.186.in-addr.arpa udp
US 8.8.8.8:53 200.162.158.95.in-addr.arpa udp
BG 95.158.162.200:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
BG 95.158.162.200:80 zexeq.com tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 196.0.202.116.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 20.231.121.79:80 tcp
BG 95.158.162.200:80 zexeq.com tcp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
BG 95.158.162.200:80 zexeq.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 107.116.69.13.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp

Files

memory/3380-1-0x0000000000A60000-0x0000000000AF6000-memory.dmp

memory/3380-2-0x00000000022A0000-0x00000000023BB000-memory.dmp

memory/3876-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3876-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3876-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3876-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\dc68dece-be16-4b9f-a710-d0fd190858cb\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe

MD5 72fd6329b754dd39cfec917c900abb53
SHA1 fa5e56d102dacecf25547c850e3624b41a85c62b
SHA256 5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989
SHA512 0c3bd337190662d25af61cce7c5f2fd86c72ec7e0d73e9c2a4fc9ff816f0e5d331b881d9548086db9496ff98755791e23a5346e5d5888a8e08b7203e2a62ea55

memory/3876-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/364-21-0x0000000000870000-0x0000000000910000-memory.dmp

memory/4896-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4896-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4896-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 11581ed9bf85b0762bf9b961896437dc
SHA1 3e3abd053edb2ec712e42a12e7611fbc0c918c94
SHA256 8ee0f48aa91271b864f9820021b729f0032be7423d0a1f369f02d20b0db954ca
SHA512 65cf11c761fd7ae7040242ceab43c3576f9021f203c1bd0be260ffcc73ed09ee5e8898ab9158d2743e38c08e52fc972dd4157af4c323a6677e3a37d207da7198

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 8269da8ab4a44aa7076d53a87a3e6d7b
SHA1 d23ea909b27994ffc29d2760c14fdcf54bf33b9c
SHA256 c9eef76da9cd8e392e3e755c866a12fb3c3d47b0cd167ce9f6ddc3a66702f90d
SHA512 65d76174905cc9f321cc81b083f407fbb4af9d66ac691a6ae0a466f016735c616f295347a033a4c7ff7a5a93d2235a430603dd0eb8615c318d123fce5972c49f

memory/4896-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4896-30-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe

MD5 c4070da9f9b0581171af16e681ccdff8
SHA1 3fb4182921fdc3acd7873ebe113ac5522585312a
SHA256 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512 c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427

memory/4896-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/772-40-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/772-41-0x0000000000810000-0x000000000085B000-memory.dmp

memory/1480-42-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1480-45-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1480-46-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1480-51-0x0000000000400000-0x000000000065E000-memory.dmp

memory/4896-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4896-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4896-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4896-58-0x0000000000400000-0x0000000000537000-memory.dmp