Analysis Overview
SHA256
b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5
Threat Level: Known bad
The file b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5 was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
Vidar
Detect Vidar Stealer
Djvu Ransomware
Downloads MZ/PE file
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Enumerates physical storage devices
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:56
Reported
2024-01-15 05:01
Platform
win7-20231215-en
Max time kernel
299s
Max time network
154s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\356c2969-5b64-4da1-afdc-1539ee879782\\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe"
C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\356c2969-5b64-4da1-afdc-1539ee879782" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
"C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe"
C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
"C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 1444
C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
"C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe"
C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
"C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {463077D9-47CD-4ED0-956B-B88E524C77BF} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| PA | 190.218.35.224:80 | habrafa.com | tcp |
| MX | 187.211.34.211:80 | brusuax.com | tcp |
| PA | 190.218.35.224:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
Files
memory/2136-1-0x00000000002A0000-0x0000000000332000-memory.dmp
memory/2824-7-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2824-8-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2824-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2136-3-0x0000000001F90000-0x00000000020AB000-memory.dmp
memory/2824-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2136-0-0x00000000002A0000-0x0000000000332000-memory.dmp
C:\Users\Admin\AppData\Local\356c2969-5b64-4da1-afdc-1539ee879782\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
| MD5 | 22788ef65dc39ffef5312db57b0c9310 |
| SHA1 | e836c5e938eff1179dc6b774a09d3e7e90265593 |
| SHA256 | 9b71de9cf866b5b585d1e8c174c8c2048736c1a35cbceec1dd57007981e531c6 |
| SHA512 | 29b0e053cce0f6e73085e968af1c15c4b0a555523ee429947b193097d3506e3ceda5d2a4aed84aecfa8539e843ae845739fcf13110b069292e9c75ed8b8a7498 |
memory/2824-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2468-28-0x00000000004C0000-0x0000000000552000-memory.dmp
memory/2620-34-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2620-35-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2468-29-0x00000000004C0000-0x0000000000552000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\Local\Temp\Cab915.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 91462fff5e024ff68587cb99536df527 |
| SHA1 | 32d8a51b9b33fb8f073a3e8294caa54f1ce9c0a3 |
| SHA256 | cf8e8a70e603049d21d5b49f14c1ee1390695208381466caaf3d3298340ecc7f |
| SHA512 | 127a30d18faf1ca1940f6748b592277685c1eb5a79b9e6de7bd14061a3a0610eb8f23d0128cd827cb392d886ab2c5ebfa6be54bfc225bf465809d72e4d9f2938 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | d6aff1f132ae20154c85d34d81f08df0 |
| SHA1 | 39d4255799529b1810b2cedff76468deffd62361 |
| SHA256 | 2dfab86586ecf066e64645e25c303a993bf8dc553a123670acd7162273c76f5d |
| SHA512 | 4fb7f8b3dc0ded44af80fb35fade0611fd021d555b95fb8d2bfb7233be7c55b8e38c6e2f742f4ad952b112e6da744300b7618dd07db8e67cefb488fca4ab2c32 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 4862e55474a68bd103b48d8276555bc8 |
| SHA1 | dbe4d390b5dfa7035feb496c10cc8ca523232899 |
| SHA256 | c8a0d03c1b272ad150705519a1a4f4a38b94cf108516ee5638ec3beda45913a0 |
| SHA512 | 38b1ba6427d831bbc9d73cb53e91525109765e6bb866914c6ed73d21c9e798af662a5edfe64ff25765bacb4192320558ac1241dc2f65ab56af8b1ac93e6913b5 |
memory/2620-49-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2620-48-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2620-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2620-55-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2620-53-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2620-57-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
| MD5 | 7f531c744b9b3e4aa7c43f594373862f |
| SHA1 | b639aff94453644fde55e69701da371b5701a9d4 |
| SHA256 | 1d03309bb5e2db582a71936421e05bcd710d9b7032aab5799c977602c6d17227 |
| SHA512 | c9f49df136fd9c87e321640b8347dea54fc1d1b6393dad57d4598b781350038caa7c1804e411a532f6140228d0d3bc55cecb9c43028e0b56b2e5f34b36a4d9aa |
C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
| MD5 | b071926dcdb69fc865386c11d5af1549 |
| SHA1 | 92310d34e8b3dfa6f6a8357e7fca6ac17441ca36 |
| SHA256 | e53bf6142b8c04425d0295e0b128af57310f7c052d93ce626520774d7a3d978e |
| SHA512 | 28affb69a6d3421693b771d06ef6102b4c3045ecaa777e7ed13d90071cdb0735bbc6d30c9411b2aed6419744e3643ff93d9c16c3aafb9a2c2d1bf1c7bcf34ad8 |
C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
| MD5 | 5b586278979a109655f55c7d0175d106 |
| SHA1 | 522262741c052a130958e582a3c8b1b68e6ee0b5 |
| SHA256 | ce1e4fdf5ba3b89a95def955b6e89ca2bd819a90294d98dfa3efcf1e798d136c |
| SHA512 | 4091cb6fae153845ceb45590327c67b6684a1eb1cb67bf85e3bb6888a4f990bbfd21c018b9d108e20ff7c6ef5be71b23ae7f0bee573ff269bf7b9449372ed9b1 |
memory/1628-73-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1628-79-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1628-78-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2168-77-0x0000000000280000-0x00000000002CB000-memory.dmp
memory/2168-75-0x0000000000660000-0x0000000000687000-memory.dmp
C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
| MD5 | 109f7b17791be79c8253edd0d267d8ad |
| SHA1 | 34143163df2135220184a23287802fe47381bc36 |
| SHA256 | e7bdbea65830b81532dd18aa6a98b7d875100dc177ff6bc3f86963584aaf024b |
| SHA512 | 3a20113d32ce86471af55ac459e35f750514dfba2f75a440e5f56a1b8b05192ffa6a8c2714c170ad3600a42bf493820c3a2e74d948a5cd0b3166d31eddd9c89a |
memory/1628-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
| MD5 | f1e34351afeb5d0dde190bed8f6854e0 |
| SHA1 | 59afa42f892a0389e9e95d05b257385ba5041e87 |
| SHA256 | 543e79ace9beffd86df38e5e2ff01416edb8026834b61674dd39343513085c7e |
| SHA512 | ea327f043610bb4d06e40a8774107208e84ce36d9c06602fdf8b84cd6b3d09016f7859b5f7b103bbb4a1b8bee4eacd26e895bbd933370226d359419518ebc1f8 |
\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
| MD5 | 2c89c33e1c69ed6e5c2680e86a66f88c |
| SHA1 | 1351ce7db5e2a7d6e9c9d054a89fce8dc2e17ef9 |
| SHA256 | 82f3c2eb7b8252e8898d1144e93738de4f87cd78eedcfa0372b5b04f58918d6f |
| SHA512 | 2ca42581c8494318e7b380338d5fc09adf751a132ccb4dc1fa6c4942a92bfb948613f40f5234bee547c7d6555a384a2489876c9b0e60ed632a34dee2b3783e19 |
C:\Users\Admin\AppData\Local\Temp\Tar2405.tmp
| MD5 | ebc7560d2e0e44f9127eef79c8dfa12f |
| SHA1 | 510e98889070f7a041026722bc16ed1fbbd7ff8a |
| SHA256 | 472ada3a26896b84fb5b47446f863b40b472dca5543b33b139b43c81884fc744 |
| SHA512 | a4190c74678a810c2d5ab96004a2d306269e107792adb2362bf04b5b3d52dbccad850fa224cc9a36463dfa8c5d529a0bba915adbfd9e9297011ee8b0636f21c3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d6bd3ce44cb6dbb5a3a758df70b8d2dc |
| SHA1 | ba6edc650597c9b91efcd1fe7fd648db4d18ac8f |
| SHA256 | bf9ec23bbd2ff9112e6b30fb4f87c0ebb70f55bb2d24d37263aa292371733b94 |
| SHA512 | b20a4c7c896c7dced9896a6624f4457e622370f7371c821be1d7e0020fb86e5a1a7c197f744c53127d7fd717cce4ee059f56add9116a77e66e7f6713d92fa001 |
\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
| MD5 | ed8e13e5a7554cff7d7c2db0d2455417 |
| SHA1 | c5311f99993930dc21caca5a4c50ab0195da6dba |
| SHA256 | 4a42c23f02cf5d7ed4d23327ff8aeb6de904d4f27489ced487e3d7e8836966ea |
| SHA512 | 6533c306be27d17f280aa62c674daedd8b3ee9e8fded5f09253ee912b573a4a081ba864308cd434dc7e02fb5f90849e92efe27168793f30308e7312bf8c4d6da |
\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
| MD5 | dca6d478b929680dc412b2612c57f4b2 |
| SHA1 | 443cec2378f02be49b96f86011a0ae84483a0784 |
| SHA256 | 9a93f79207c25873efa7fd2712f48a1a3dc2503ba460e7fc0d49c34e2d45eca1 |
| SHA512 | dd2cdcaade8e06c7edcb8d4336b1b0b298887117e0f1eee6ae8ac05679f04fab03013607bbda0ce5959b3be97900963c10de488b36c2716076cda2cee4a6ce49 |
\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
| MD5 | c4070da9f9b0581171af16e681ccdff8 |
| SHA1 | 3fb4182921fdc3acd7873ebe113ac5522585312a |
| SHA256 | 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0 |
| SHA512 | c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427 |
\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
| MD5 | 40ef730b610d3d44d531c409af7b8482 |
| SHA1 | 21180b11c322c179acad871a43b0a1447baa3b57 |
| SHA256 | 651331f22307be173e49fd2d986236899d499be3b941eef8d734f599c9de130b |
| SHA512 | 6ea7442215229079ed49a7fd90e1e9569a2d6a2e6fd481bf1243186586753a66d8e485d472d394b6b1fd0c357aeaed5f0abbe5b72db0656a57fb120493d797f1 |
memory/1628-200-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
| MD5 | c89db5554f918664de6506bed6bfe471 |
| SHA1 | 6b0aa2bfcdd4ffdd237ea1a16b0661065e88f1ee |
| SHA256 | c976a1c217fc221d6e8b93c20708405508025bfe1bc492823fa133c02daea0a3 |
| SHA512 | 9ff01beff0fe0a9f3d1e18847465e632f175aead18d75dd3121057aa2e8eb6c68cb5b82a787dccf8b1a7dfaca262d4d542e765a416a8b955f64a6371decc4228 |
\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
| MD5 | 8bba81fc4053282dad3413859fdfcf80 |
| SHA1 | b8c0df632265e2c0c6a9d8c3b10de25740b763e0 |
| SHA256 | ee702a0e709163c481a0c1321b174dc8b824697022e62a41df89745643a17c0a |
| SHA512 | 1c36e881d6d81c2c254e3fb923cb028ea2799a32ce40849b11942a264e57e3757ae7ce606dd3613d0306ce085dda66684659695b51c4cbc69bca5e8be417aebd |
memory/2620-211-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
| MD5 | f384ec915bf063cd24b0a821d946e533 |
| SHA1 | d5ffc9314cb1bf6799928685251cc4766bf868d1 |
| SHA256 | f167600efe9cedc4e12a5d3bc500fd414100d8ee63c33179beadd4b80e6b15a8 |
| SHA512 | e72dd94fe36e72c173040729bb038b3eaf87b7f48b93b55c953492648de757e9a62c1153efa14a62751f2fd6e6859d7fc71f1dbcdfa8bea38196ce0c5c828314 |
\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
| MD5 | 7b128430e59813ae7189e3cbab0f1248 |
| SHA1 | f3d101b236ca9d14d30aca0d736f3bff90448d16 |
| SHA256 | 6a97c744d60c421cc946aa214139e16ca71f9245c36a6bd1eee339d8245c67fb |
| SHA512 | 494f90339e30fba7b1c7e4c6db3e0aa0ca012762d7ae87cbb6678b21468e89981f7938f937bc106f3de9dddce154c0fc46c02909779b3ad0ec1cce95b4220154 |
C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
| MD5 | c06cd075a1452e83c8fba3c4b8fcabf0 |
| SHA1 | fdf53e934903a3d8e65dea9676a0f5164a1b3fd8 |
| SHA256 | f855eaa3d305579505f231c0c5def62f174013623bcb527debefa29f0718c02b |
| SHA512 | b6fb1fa8dbfcff34f0fda92b6b231899f6161c3d660c0a4988365b47b132ad688b90cde56b75adbde105d4b28140b13a3f4a60bd64fefda8cfb5a535e5d85500 |
memory/2532-218-0x00000000009A0000-0x0000000000AA0000-memory.dmp
memory/332-225-0x0000000000400000-0x0000000000406000-memory.dmp
memory/332-223-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2532-219-0x0000000000220000-0x0000000000224000-memory.dmp
memory/332-220-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | a9137630666f569392a9498766657d2c |
| SHA1 | 2b44e02c7209ccff03993b34467bdd42536b6eff |
| SHA256 | 9217713dd630683359996518a0ee48d5be19af36867b62b4736b820c9956d712 |
| SHA512 | 1b66b815690fb4f1501f83d4e62a10bc038bb10fa3b2c1cb20d60e881c5ea057c4272d1049baf65cced8632c9b5652b78d55c69936c21e964ec2663139cb7695 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 4d848c2bdb8f20582e3106127393f8f7 |
| SHA1 | 896adf8e2dfd3c5772b97431dc22000caf876aa6 |
| SHA256 | 2be02bf10903444f137b10ebf346b22c8c7e5aec3e23a4f81f8e8167fbce8851 |
| SHA512 | ce61a8db930482c7e8a36d0c9e0759e845e76da1000b3d5a65addc639ce9d6c8a4b765199da9775ed9d3fbfc7073af02b00dd8b2929dae5b931a9773ea1939f1 |
memory/3012-247-0x00000000009B2000-0x00000000009C2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 764dc93cee29e80fb0249489d9138e84 |
| SHA1 | 4d9f306b5076ee63a19bb2594588eadec40985a1 |
| SHA256 | 9a88d4a90f0ff46d37628fb566f9bd1c710cb06d6be140f668524098b013f039 |
| SHA512 | 190085000daae7696a0fa15e5e56b67eaa76779574345d03d2ba318a341f6dcfe0ac7616f129756b16fd91016d85547971127d953a9a923db4558ab3551c6f84 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 4b3fc3105731c7ff3a7e3966416912a2 |
| SHA1 | 0e792bf25e8795158074fa6bd2ee87ad16675124 |
| SHA256 | c0f698bcc4324958848de5d8e1b1bdaed5e01632d8c827a5a95356eb04a2c443 |
| SHA512 | 6ed5ee0139d9d9a676232a6c5d6e9a8528f880025a11fccf8a1a32a999ae5fac41f993c384fabec788e4e47da714d67f1def0348da6b0f4392e7fc7ff1098c28 |
memory/2216-274-0x0000000000900000-0x0000000000A00000-memory.dmp
memory/2216-285-0x0000000000900000-0x0000000000A00000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1312-303-0x00000000008E2000-0x00000000008F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 53c1d0419cc1e389423616aaf846b963 |
| SHA1 | 6fd24277680bc838a2ccfa9d097d186ec5c0a2bb |
| SHA256 | 6d4712ed74160e655967433583d644da0d99c6739b7bf064a17a86b88bdaaae5 |
| SHA512 | 472592264e8cef327cf5eab26d5d4482d81da03e1c6f5587d38dec0cae481959a965b5f43d10a578af9acf817fa85ab392f0b3a61e79bf0c2f505b8657df56f5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 1e4ea4014fb21520abe07b3a598bf88e |
| SHA1 | e1017249638c61efe983721ac1be953870d9d675 |
| SHA256 | d8020fc96492cc7de30fe35c2f2324569af675d795fdd792007c5d044eb27a37 |
| SHA512 | 0848753cade4f47873fe746605173e2a336183a232920f5e91f6dc03372ead74f182d7f14594c99a2419100ee11f54fa9516cbf89584ef72090ad954149d5ea3 |
memory/1548-330-0x0000000000332000-0x0000000000342000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | f57ec55e923cd5a711f014e1bc602b71 |
| SHA1 | a3395fa9753d6204bcce561b731cc53875536515 |
| SHA256 | e6dcfe9e42367d16c31ee586b7ea5f66b5e853d7796a635b611ee99e375302ed |
| SHA512 | 8c17097dda9970a704f9d29cf07ce8509865a6aba6cee84cbb670b36e2b6d7289a15c5796e653cc8569218b88635c9b4c07a64be2f86c7e6a6fedad27ab92c69 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:56
Reported
2024-01-15 05:01
Platform
win10-20231220-en
Max time kernel
298s
Max time network
301s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\67df257f-d713-4b59-b128-cba8f0290b73\\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe"
C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\67df257f-d713-4b59-b128-cba8f0290b73" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe
"C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe"
C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe
"C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe"
C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe
"C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1900
C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe
"C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| KR | 211.181.24.133:80 | brusuax.com | tcp |
| PE | 190.187.52.42:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 42.52.187.190.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.24.181.211.in-addr.arpa | udp |
| PE | 190.187.52.42:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.0.202.116.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
memory/2492-1-0x00000000006B0000-0x0000000000749000-memory.dmp
memory/2160-4-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2160-6-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2160-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2160-3-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2492-2-0x00000000021F0000-0x000000000230B000-memory.dmp
C:\Users\Admin\AppData\Local\67df257f-d713-4b59-b128-cba8f0290b73\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
| MD5 | d5a834458597b28262d18882f84278d0 |
| SHA1 | a62e31c59e684b71a68cd5074f2cdb9e0dfca34a |
| SHA256 | ad22974dda99487372a8642a1667ff924c858067fe840c6c53830dc83ddc0dd7 |
| SHA512 | 1fe4817f515fd1db3b63a57ffa9cf4eec083acaf63803474a2b08f9eb875b9796630fa8587d423a1f15bde1af6211490f3ffa065dec80ef879afd3d0475cb892 |
memory/2160-17-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2936-20-0x0000000000720000-0x00000000007BE000-memory.dmp
memory/3328-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3328-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3328-24-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | b3a322cb6a93e77085da1ca969af35db |
| SHA1 | 0b037d89c4225dd4b522c6e2feba2026de675a7c |
| SHA256 | c2a540dee6b21c4898f55d5b8e296023db0faa8a70558704f0f25234d6053d9a |
| SHA512 | 5fa707f1d5ed14f796dcd6302bcffe3b7d87cd500daec5b840c63e5ae309964f35e8a9c7c06983b773ffe8edc448a324d44afd302e68722993077d41409bdc83 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 20096e6a0541be2b46c6d2c28cbf07ec |
| SHA1 | 0eff303fd4bc07c3f93d2a79264b9b64fe6ae2b6 |
| SHA256 | b1f09c268a40f45f44f8dd27ff7feffb407880bd0a205daa37ac9f6d98978795 |
| SHA512 | 9c4c79f96ead2d93696801472b4b90ad3b7998a0a8352ddbcf71fd550fe15c460e89dd7cb84f9b8be5a0a92bee8715fe4fdc236cee536e749bfb84cd1ee6e1fd |
memory/3328-30-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3328-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3328-34-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3328-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3328-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3328-38-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe
| MD5 | 79cf37f19c8e17e5a78d52942f95921f |
| SHA1 | af75d887c46686560c419291296de38c10f47680 |
| SHA256 | 6274fcccd97ae89dbd0e05511daf116a07d1c53c4c5feff1ce1e2471156b1f6f |
| SHA512 | d09749ba10618af6f1637ef1e577ae0206a791b3aee8def8184a4b64f76576a4fb856af8256afce6b555fd53dea91ae9523dda300ed4ae16e05852c3df18a0ae |
C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe
| MD5 | 87863828a7f23aa7905e9350d6057e72 |
| SHA1 | 29c6d2e0c3fd2a75a91031749bdc94ddbe97b539 |
| SHA256 | d771f46e22a5c68ab6bf0556a7995ca40816c87d86bdbeb29ade67b0d8c81052 |
| SHA512 | 066bc51a4607fbeb11d4d1a594ef9dcb0c3c4a29ae7aa826b7488695790f361ae1947b69e571ab92ca9d5a026bbc7bf6f248ada21dcfb81111d454d778862e00 |
memory/3164-51-0x00000000006F0000-0x00000000007F0000-memory.dmp
C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe
| MD5 | 4f0d01681697168ee36a366894ae5ae6 |
| SHA1 | b0c3fd6bb18bfb7fea9a626aff8435ddb134d6a2 |
| SHA256 | 5a97da51a0f2f9bc025377bd4a2d5b1e3137e2685e940670f289da3478f2ad5a |
| SHA512 | 0615c67f5e643704ba6400f39426c7aed3865c827a239bed16216bddf425d177cbf966499827a082e979f80b92e0d919841b714cd759fd017d7447ae9df9508a |
memory/4448-48-0x0000000000400000-0x000000000065E000-memory.dmp
memory/3164-53-0x00000000005C0000-0x000000000060B000-memory.dmp
memory/4448-52-0x0000000000400000-0x000000000065E000-memory.dmp
memory/4448-54-0x0000000000400000-0x000000000065E000-memory.dmp
memory/3328-65-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe
| MD5 | be01967fb815cbe54f7e4658d230330f |
| SHA1 | fe59633a5375845c5121ea8a890b893f3ec74b18 |
| SHA256 | 649344f585a69eafc0cb854e6e8d7f0cf478eb6bc1a3c81351f336fffe03ce02 |
| SHA512 | 781fa81945847155e3878fcd236bc2d79d8bc65fbcbdcba57a0fc2a7a7ebb7e8482fee19b7aa4f3de12b217cc1a30c25e96964cf6cd531444831abd0557bc285 |
C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe
| MD5 | 7e787293bb6b0a851581ba67d566d7bc |
| SHA1 | 061efbe25967e3671902dad4b25a26797ea75178 |
| SHA256 | 2a39a0ef3ef569e4702e1238a9551b1283b729b5fac9ee5a988542666e3ba36b |
| SHA512 | 083b5409aa33475d889c3c2631232c3c8f76f33563cd496e25ad76be125f0287e08bf70773c8eece487a5f51da2cf1a4287878a4291c68d78393a58749e64d03 |
memory/4448-67-0x0000000000400000-0x000000000065E000-memory.dmp
memory/3164-70-0x00000000005C0000-0x000000000060B000-memory.dmp
C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe
| MD5 | 7befa1c4ff23c0b3b4c5adcd9417b247 |
| SHA1 | fc4cf9ed7d3c7f147a67746ebf01ea3fab4a1cc9 |
| SHA256 | b80836568a99e1c6cab7073831e64bbf3eb09ee1dc5dca5623fdcd3019f520f0 |
| SHA512 | 63f97146440f5c0f9c755d06ef43a6e94ef39c5f80a99ea277a8939702416ac007b779d63c65447e2ecfdd1e3089e6ccab1b20aeacbdb4c88c70d1732236c50e |
memory/2188-73-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1460-77-0x0000000000B59000-0x0000000000B6A000-memory.dmp
memory/1460-78-0x0000000000920000-0x0000000000924000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 74ae9689cb04bde426e036319feeb49b |
| SHA1 | b932fd3571f6113cacf1e5eb2b3453a05887963c |
| SHA256 | b59f5c8dc70d0092f4257c3e13745f67e6324edeee709eff32336d3c93bca180 |
| SHA512 | 642d69ab7ef11418b9d97cfa8882ba38ba5c08fcec428a8a758b9de8ee1d576b4d1fe1a2ca93dc4f1f5e6a8eba8c21f7309975c0c43033350d51e5efe7fcafca |
memory/2188-81-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2188-82-0x0000000000410000-0x00000000004D5000-memory.dmp
memory/2188-79-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/832-101-0x0000000000880000-0x0000000000980000-memory.dmp
memory/4152-124-0x00000000009F0000-0x0000000000AF0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | af35afdc152c8797a5510e1d71291187 |
| SHA1 | ac96cb475c4e04038423cfa53e63ae76b269e053 |
| SHA256 | ddab7d806ad42adc7fc3fc764df6eae87f47c96e304ead0c3b686e072ab40329 |
| SHA512 | 424c09ce568faba9bcd3e2a56f7d88b5e2581aff1bb3d46648394536933fd99a07c52432757a615aa16efee0809079ab0abf630b37cde0620423b7d21ba650ae |
memory/3784-151-0x0000000000ABE000-0x0000000000ACE000-memory.dmp
memory/1296-178-0x00000000009E0000-0x0000000000AE0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 99250f97f6f7b69b9e88b546b579c2e9 |
| SHA1 | c3f0c6b90a28ff6f70aaa26e7ea904e95229149c |
| SHA256 | 7cd197f2a5e79cc1927d745ac6a39e91dc03c11f51c23b5844c2065c87509661 |
| SHA512 | f9ef00d9fb489fef04ea5179f35a30b516f21b79822ea0980c58d0486d78af41f6ba41878913be76b26161d0e07a1ecd155f3369e7f1812746645dab70b46175 |