Analysis Overview
SHA256
5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95
Threat Level: Known bad
The file 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95 was found to be: Known bad.
Malicious Activity Summary
Vidar
Detected Djvu ransomware
Detect Vidar Stealer
Djvu Ransomware
Downloads MZ/PE file
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:52
Reported
2024-01-15 04:57
Platform
win7-20231215-en
Max time kernel
293s
Max time network
156s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c7a8d402-37d2-464d-8f6c-8241bbef596c\\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe"
C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c7a8d402-37d2-464d-8f6c-8241bbef596c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
"C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe"
C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
"C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe"
C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
"C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 1456
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
"C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {94260BD7-4207-46A4-87B1-94A819890B9E} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| KR | 211.168.53.110:80 | brusuax.com | tcp |
| KR | 123.140.161.243:80 | habrafa.com | tcp |
| KR | 123.140.161.243:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
Files
memory/2752-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2752-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2752-8-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1684-7-0x0000000000220000-0x00000000002B1000-memory.dmp
memory/1684-4-0x0000000001E30000-0x0000000001F4B000-memory.dmp
memory/2752-9-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1684-1-0x0000000000220000-0x00000000002B1000-memory.dmp
memory/1684-0-0x0000000000220000-0x00000000002B1000-memory.dmp
C:\Users\Admin\AppData\Local\c7a8d402-37d2-464d-8f6c-8241bbef596c\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
| MD5 | 0a1c07d8f0a02a3b3ad87fb6770993c3 |
| SHA1 | 6f2f6e352bba65133369ff22fd8d2fcd7222bb78 |
| SHA256 | 3c6e60fc855b4a961ed906f36321da84cbadda7717a6596b2762d54829f96c3e |
| SHA512 | 9452393e5457c8cc8936bfe9b157886f557df699468b4c9dca7f1d91aa6e3bb34d20556987bbef5d5d3ab4f70ed8cb23b7de9ac0ea1570d819b4a3db768ce2aa |
memory/2088-28-0x00000000002E0000-0x0000000000371000-memory.dmp
memory/2752-27-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2088-30-0x00000000002E0000-0x0000000000371000-memory.dmp
memory/2860-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2860-35-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 077d0320462b49e67107a0c054bc4e18 |
| SHA1 | eca4dbf3ba2871eb256d430bc6f19cefc937f5f9 |
| SHA256 | f940b7fbd3b64eb8680a2e8e0fe796c8185575b4de7afb8e5bd019277e2de53d |
| SHA512 | 35774686b5e99b18668ac662224a138f70a926b34a171cfafa22d2026a80c82c57f5c4deacdddebbffaf6c7c9d37052f932777321df6c1e6dcccdff6f5692981 |
C:\Users\Admin\AppData\Local\Temp\Cab2CAC.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 56f3a4084e5911a6842ea6491c6509d1 |
| SHA1 | 4acc7dee468700dd3171444a7fffa754abade33b |
| SHA256 | 3e13aee320061b7a0087727380d216d9660c4a0ed8400bda42b297893a2cb580 |
| SHA512 | cdae98628f7ee2e547ff0f2121d12d2d82f3c5e5a81f56270edd4e801bacb15f78d433409aad15b2ce2b5b8e5eb2a0cf4fe7820884cf238612376ef5b42802d9 |
memory/2860-50-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2860-49-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 85a3356dc69b9ba81a1200a295775c69 |
| SHA1 | d2570084703e635ddc5d64b3e29aaee0458904ce |
| SHA256 | 7ff66131a092b016d48507adbd45eae27d08e32b5c9383e4abaec0d196e60a22 |
| SHA512 | 69d7a55d36e1ffed5cf505a2401ccabb2d6cfb7398edc82f7a122fc197e1ee8a59b882add73b99086aec2110674320a8eda88ecf534b80ec4de5d0ca3c389a5c |
memory/2860-57-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2860-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2860-54-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
| MD5 | 93a9fc448f5d6ee357b877ea45c728b1 |
| SHA1 | 9117410d638153298f2ee16e6c9f54dd0ab95533 |
| SHA256 | 6594e2680d17afa761e0dd6f2e9c1353ce5a7918e381e649ab602d263ff446bf |
| SHA512 | b5a0ac57794cb9ef8b96d22644df17df73cf930b86d0c3be781a8544c2c6e482f075c56dfc7c15fb93eaa34558ad533f8f099d8d1055ec77bdd02a46d97faebe |
C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
| MD5 | dce665b9fcabb81b8993ea1ffe1a1545 |
| SHA1 | 76ffa54e06e7cf6c30b80b1622c3688322f072f2 |
| SHA256 | 378589590951cabf226b9d40da1c3809eb391cd976155c15e39b6d63e80face2 |
| SHA512 | c329fd1637d204922f2e144f4c2cf74791df3dcf7069e140f42620b1bcc020b8a5904e37a43f3caba0bdf7759872b5f6c2e6c340993db77a1e9adbada0f71883 |
\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
| MD5 | 090bd842e2d09d1d2a5645a92c0b2f62 |
| SHA1 | 048f1bb3ec59cf58f19de66f5ebec38b60e35327 |
| SHA256 | 6390a49d9dd6db8b3aa5c400f09b2ea3e7416d4ddc1b29091e64128c73a979ce |
| SHA512 | e380a72e672ed8944152ff2ad4cfdd9385bccf8544b1b51c091b39a937fe1fe7a5969733da383506b52c704ba20e18ccd1ce56a299afc8029ce0599cf7d0b884 |
\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
| MD5 | b3d165d49705ef1bcaaef95d51184a7c |
| SHA1 | 86f1dbad38aa09e58972f5b1f02a9a2d6216a74a |
| SHA256 | a7179f0c3353e1341c7fa282f648325d250ae82bb2f6df154cee3d52de1b8ec2 |
| SHA512 | f7ab03efa5f199aeaf76a6af20340fc38ead59b5dac127a16383112b674d33c0945686a25097db19236220b64de562dc691e5a7277557b3c72126b91c4b10e9c |
C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
| MD5 | ca3917b2e5bbdb9e5734fe725b5b80a6 |
| SHA1 | 068fa9764296f639d982053e84016230370dd5e1 |
| SHA256 | 7e57d1e8d655eddfd1567867e662caaffdfd4864d9a15098f83f02569502fe7e |
| SHA512 | c7aa7e06505c4c029db5c36fd43a1bdff654cd429b5f34dfd8e204b857c157b249602f30c6413f8d5f58e36058d109c87fd74101f1e6df25fbdc965c2c086e73 |
memory/1260-78-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1260-80-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2860-79-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2168-74-0x0000000000230000-0x000000000027B000-memory.dmp
memory/1260-75-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2168-72-0x00000000008A0000-0x00000000009A0000-memory.dmp
memory/1260-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
| MD5 | 93ccbec018a8da1d4e271098e5849f98 |
| SHA1 | e9e3314da0018e70bdd94f421956c7425675af4a |
| SHA256 | e349260f7da99382e6f914bece0036c95a0ffe91d70d9490c9d82f2c115fe52e |
| SHA512 | 14b23ce71769384920e3c82dd232ec22b2c67c134be893682c0a29f05ac3c288dcf5f8df5b129f9b4dacd71ba7e2ac60923c6b2f188881888a3718bb018d5f60 |
C:\Users\Admin\AppData\Local\Temp\Tar3E39.tmp
| MD5 | 65846057126132b51335657bd3cdc8e2 |
| SHA1 | 88caac5b2223e54cd73e4084ee84dc5649ab2450 |
| SHA256 | ab393b8e107c7f9012adca3669470ca7153795812aa9685e9b840c395561e828 |
| SHA512 | a767fd47a737ac0e93c08cdecba1496385c6890f5e857563b789f4dd793e7a4ae89eb46330de4772bb4de70085416c692f5273a322c2ec14d65455b0f6834f78 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ba4c6b82e116d3510d2f2e792f38d2a6 |
| SHA1 | e440b6a5043730dc8bbc96d225dae5e14e62cd08 |
| SHA256 | 993ec3c8bf5f56753989067b1bc674e570e09040ba380a18b6a9fe2f7f5d4883 |
| SHA512 | 6ba2047df7e5022f2d2f7b39288c4aae3704b71b1dd1aa4674fe651c521eeed2ec0a1e1d569c8f6714207b2dd6ff32a833869fe2ffe9fafecc1ecc87f89899af |
C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
| MD5 | f49397aceec33fd12c85398ae4b6a68e |
| SHA1 | 0716633105ae3cf692c7fa6f9d0910c2b78ab1a0 |
| SHA256 | 28cf4f95d16427d570b99ebd885f1fdf75e21871fe13403f340cbc9bf9c59211 |
| SHA512 | 83606b8907b69bcdc951939d1b8291809488d53a85306c585df083fa121d01bd06175a6f25594c08396e8c91d79df10c8eb35b181d560a7da99d4006802545bc |
C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
| MD5 | b3d7a44dc29a1b69636e5e6aa6b0bf9b |
| SHA1 | c8f7188cd3e7e90a2413b641ba4356239a734b1a |
| SHA256 | d20851dc0adfcfc1349b4129d1515dc7e366e586190de2150a847f9843c0f43e |
| SHA512 | 87a7c1ba21d256d12e1416f183e7bf60f0e898dd3e52ab5b253c0ed4c987b2fd9d28234dd7bb3c2a7787af5c9e7d5254ca58044458d1b700d8ba8430f6acbd26 |
memory/2860-207-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
| MD5 | bfd0bf66f7c0b8ea98444d781d01d358 |
| SHA1 | 5f420ebc36be51b742f18154f0469825522d2ac2 |
| SHA256 | 13c3ed37541dd8d0894eb63a9ebbac85ef14fe6460eb2953be70624d16c5eaaa |
| SHA512 | 1a740168b63fa66c5b85a930eea56eb789d91c9013c2e402596a450779704aee0db608d388ea4a76d35512c7d7e6f7ad65a39f7211f17b171000c94460b726ed |
\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
| MD5 | 1f6abdb53e15615605affb291438cf2a |
| SHA1 | bb58a4d9b6d5e4a8b2d959373ec46ccc7d547a52 |
| SHA256 | 8ab9396a2aa1b31d98c4ab9cee3fa42f3354f5e49da0bcde1a1cddba8239d4ba |
| SHA512 | 87e40aa79aac63576c5e2fb06d7bf54fdecfaf12d298223dd52f46091f1c1d19d1caf74c1c371375603ff8950f57c07b1f6e6f60aca3c831f8e96a9ecb3dc59b |
\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
| MD5 | 3eb2466aaa27955834a0e3a3ee2980cb |
| SHA1 | abab7a747dae1488d713abf421c6a1e746b017d2 |
| SHA256 | 5fe961ba9c0621da1c7660b411b5126a8785fa6ce97f034dae3ec25166f34ff4 |
| SHA512 | 5bce2df344a839ce41fc1d58d0494f160a302c531e5bdc6f916cd92f8ea6342189dd219a3b6f8e3f6fe0ab84f1d60d1540dd4ab02780e366a3669b6b1c18dfb3 |
\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
| MD5 | af3c3fa08c34302db34aea22e12fc51e |
| SHA1 | 1fd9662ddba3049803289c23cab6493b1d5efda6 |
| SHA256 | 4a9b3f548e9256cd25e9273b5ddabbc5a815000d3eb8d02442fa6279f5334dd2 |
| SHA512 | 0bfe2571a4e65ebf3cafa5ed5c5c54013bd5faf351cea5629890357968a96b970a322cc97533243c379c2d0d82a845f5166ce417b897a377f32e76358e659e88 |
\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
| MD5 | aa4cb72142123c666acec1ee51c694e4 |
| SHA1 | df2d4fc0d6280173b4487250d1facdfe3fec5caf |
| SHA256 | 4fe24a2bb591d887594c6200dede75610149326ff2d31c2bef7480017d991f01 |
| SHA512 | fb0c8e9f3093eb55ed172f17e47af27921202dd1e0c066cda78be5c2460ed9c77f5972716760f203f8d494a44897d0b4032aa61949fa194afea57e52c634b6a9 |
\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
| MD5 | 3adcf124ba7d6ca067ea4c6305a6679d |
| SHA1 | f34c7022d1f3b1006069619b4abbb9a393065d69 |
| SHA256 | 2a7363910cb34de5712dc8c0a7bca16187621fd6d7911d199aeae3847152571a |
| SHA512 | cef9703fa3c00a21948285acd71b5b718206cddf2443b6c7361b48e7c5d6fb0e18662d2526284cf1cb9d9bfabe9c3ef621aa033aadf93663a7796fab2511c3e9 |
memory/1964-234-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
| MD5 | 0c74f8dc892bf829189aabcccc5f0ba1 |
| SHA1 | fb894c4d0ec5c6a8ce0f309d01d0686bb94886ee |
| SHA256 | 09a8265a74b7380966d12e8d0c5e1292ef9117423b9f2fde70c17bb6a271fb99 |
| SHA512 | b3dfdf5eaceacb9fb3ed9fdebf0d3f4faf34f12cbfd1d42e7c3fa480d3de5e1008a2e44857723a5119ffe69a1863c5985455b81bfd598d71db3e5e73e2a56970 |
memory/2248-237-0x0000000000A02000-0x0000000000A13000-memory.dmp
memory/1964-241-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1964-239-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2248-238-0x0000000000230000-0x0000000000234000-memory.dmp
C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
| MD5 | 73c744361d663544a12d1eb10488f451 |
| SHA1 | 33f09811da0beedf347ae22129502e4cbbf8240c |
| SHA256 | b7f9d45530de09859ba7f6eb495f112b001c7d0bd0f5765dbdd64950ccca3f24 |
| SHA512 | 257c15fc9cd5316747ec46edd3c4643db1f08de307adb7c150c85d63d75074193841093613481382f2d1fb80acddbf9d543b582d7625fe2d55994b172381c0fc |
memory/1260-244-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 19181f57b86b820be337e9f14c3fa297 |
| SHA1 | 4c37b5540f872011108971ca3053c78fe3259b2b |
| SHA256 | 09f347e166b1cd9ba0e146b991bd2a19afc1398348d15f17b553c7db295ca1aa |
| SHA512 | cfa0f3f5c983f107da90b158f9f828f99b0e725722ee3af1e66e06b6912207f79f419e9a0b6854985ee122058385d573b56dbc9626fa0f39a65dae64ffb6d2a7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | dbe8a2a8024004c88fa59bc166ee4a1c |
| SHA1 | 1fb8cd20bf35511fe717bfa79e7dcb9df41562ed |
| SHA256 | 616f87cd6c33bb6e8ed9a724df6d07ef2b0555be28008f1b741558400486a1a7 |
| SHA512 | 547f60f57dc63b56f75205b1bca5888ce971503730609e3e3b63434ce384ab1d7ecc4f5bc98c384e6fd8ebbbf14f98a111098c96052eba604523073a50e9fc1c |
memory/2676-256-0x0000000000990000-0x0000000000A90000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1464-284-0x0000000000912000-0x0000000000922000-memory.dmp
memory/1080-309-0x00000000002D0000-0x00000000003D0000-memory.dmp
memory/2924-340-0x00000000009F2000-0x0000000000A02000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | b362789135c5db0f5d4565b4538e12a4 |
| SHA1 | d5b051dadc4bdf6271e10453114aba23512239ff |
| SHA256 | 57dcdb835e0de94000d36bbb127d701ac96bc5659fc4048cbe016cfc5e2dfcd7 |
| SHA512 | 438f75b83005786d412bbf0c867ad3f230109332873b32dc7fa82d109d565722b6c9f1b08992b51a8ca948965fa5425f29cee993781219634a5546a7037fe165 |
memory/2768-368-0x0000000000C72000-0x0000000000C82000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | a0432f52c06407f511b2de017af7c49e |
| SHA1 | 2233a133cca47bfc8c2db675a40860f14f390c72 |
| SHA256 | 48e04756e9d5e48119892235b7cfe7c1848699bb110ecf1369f7ae62cef6fefe |
| SHA512 | 3476b772c6161e61d4595e8ef479275d3ee265fcd9c7178adcf31c9803f2b38e47e1f611d2ee3b0090cc65da1bbaa0e7d5fc90cb6b7ee8759386b9ee065b8e99 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:52
Reported
2024-01-15 04:57
Platform
win10-20231220-en
Max time kernel
296s
Max time network
296s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\585116ff-9e61-4b84-8672-c176542c915b\\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe"
C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe"
C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\585116ff-9e61-4b84-8672-c176542c915b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe
"C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe"
C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe
"C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 1900
C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe
"C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe"
C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe
"C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| KR | 211.119.84.111:80 | habrafa.com | tcp |
| KR | 211.168.53.110:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 111.84.119.211.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.53.168.211.in-addr.arpa | udp |
| KR | 211.119.84.111:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 196.0.202.116.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.150.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
Files
memory/4328-1-0x0000000002110000-0x00000000021AF000-memory.dmp
memory/4328-2-0x0000000002210000-0x000000000232B000-memory.dmp
memory/312-3-0x0000000000400000-0x0000000000537000-memory.dmp
memory/312-4-0x0000000000400000-0x0000000000537000-memory.dmp
memory/312-6-0x0000000000400000-0x0000000000537000-memory.dmp
memory/312-5-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\585116ff-9e61-4b84-8672-c176542c915b\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
| MD5 | 48b85455400096f7d930911abbe46a65 |
| SHA1 | bea2888f3cd2ea8676ce646e16d50d336e6df729 |
| SHA256 | b603024519b976c837d8167dac15c2a0ae1fe9905a49304c341898b45989b783 |
| SHA512 | 1fa6c637666f0dfc2434279705b6cd4f82720a2f668fcba84848c16215286633baf18c56bcd16bf7fbe2992f36624cc7b42ac87dfa221187d7e8746ca0746643 |
memory/312-17-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1540-20-0x0000000002140000-0x00000000021DF000-memory.dmp
memory/4812-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4812-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4812-23-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | b8707bfeb84a09b164e775df63f64259 |
| SHA1 | cd21c87e47fddecea3cdda868056f7b3aef98755 |
| SHA256 | 61c9517cf9d89cdceb31ef167220083caead72cb8e8098e08fa0f4734eb46004 |
| SHA512 | 49a66036e35db78a0c1bc76b4969f9c7cde330537f1f0c397d4acf8b979f34e65f8e2e7ef5ebaeb5b15d0ca1d9f3eba35da53ca50ddb1ae3b98ceef89e376f1f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 757a07870e69f57f149145e1d4a4489c |
| SHA1 | 318a8db2745aa47ed357613926488370ee3d47d9 |
| SHA256 | b549d996e99b8431e3154cef5e1db89aa5aa170a9ed8129a88f579e05611fdb4 |
| SHA512 | 6bcabc6ac157aeea1eb0c3965e856247c966a8de7f60b867125c891a0c31b583a57d5a721166bf5c16dafd4d41fc1a85407a22fd070baf5ea957ffae1d43746e |
memory/4812-30-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4812-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4812-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4812-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4812-34-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4812-38-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe
| MD5 | c4070da9f9b0581171af16e681ccdff8 |
| SHA1 | 3fb4182921fdc3acd7873ebe113ac5522585312a |
| SHA256 | 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0 |
| SHA512 | c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427 |
C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe
| MD5 | 7ac1437359ea9ecc0d046ee6c34ad527 |
| SHA1 | 0aa81e1e4990744597f306923aaf826d594378af |
| SHA256 | 4af1be3ae2ec6679b5cf1d938de4cd061070ca66570e085e4c8ba6d7c04e3ad7 |
| SHA512 | 34b9f22235e4dc607e5b3d96e2b822c64493150ebe5cbefb32f3f962c66cb946aae2401dfa3a69825cfb7d94c2c8ce2bcacd56bc29828fdf8191a73671e2a56e |
memory/2960-47-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1528-52-0x00000000006A2000-0x00000000006CA000-memory.dmp
memory/1528-53-0x0000000002090000-0x00000000020DB000-memory.dmp
memory/2960-54-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2960-51-0x0000000000400000-0x000000000065E000-memory.dmp
memory/4812-64-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2960-67-0x0000000000400000-0x000000000065E000-memory.dmp
memory/3036-71-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1280-74-0x0000000000979000-0x000000000098A000-memory.dmp
memory/3036-75-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1280-76-0x00000000008E0000-0x00000000008E4000-memory.dmp
memory/3036-78-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3036-79-0x0000000000410000-0x00000000004D5000-memory.dmp
memory/2060-104-0x0000000000A80000-0x0000000000B80000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 98e9c79f0850f9fd27813ff508ebdf6e |
| SHA1 | ef4dc6f8b95cd93187772221d782654874c3b02f |
| SHA256 | db37610e462afc67ca1af1253e097fca18e4ee00706950fbfa1f9e8d07eab01f |
| SHA512 | 734c80dd74bebdafef2784c29dde86f083908b2ba4143bbfe4f7f9676a3a02082904bb87f6dc3dfb909191b844a8e9bbb9eda70d68e11d251f466c25a52e8d26 |
memory/1800-128-0x0000000000AE0000-0x0000000000BE0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9fd4860b8a74aedf22a69df7196af20f |
| SHA1 | bcb51626359dfe12108d0d350aba604dc0d5c251 |
| SHA256 | 91ae6d89ff0b9ec7160d7a949aa0afaae1732647a4120b4dd55ff5598212e86e |
| SHA512 | b5ce9297c3b4f76d32fa0fa9eb8c68d2b51d61d4b5fca83211386080c6382414e715c2fc437be73b0177ba846cd79a871e2f7af595f15e6ecb7c7b60ed3129b4 |
memory/4656-155-0x000000000085E000-0x000000000086E000-memory.dmp