Analysis Overview
SHA256
a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a
Threat Level: Known bad
The file a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a was found to be: Known bad.
Malicious Activity Summary
Djvu Ransomware
Detected Djvu ransomware
Detect Vidar Stealer
Vidar
Downloads MZ/PE file
Modifies file permissions
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:55
Reported
2024-01-15 05:00
Platform
win7-20231215-en
Max time kernel
295s
Max time network
153s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\24a08177-5051-4a05-82e2-978b9537af99\\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe"
C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\24a08177-5051-4a05-82e2-978b9537af99" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
"C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe"
C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
"C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe"
C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
"C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
"C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1436
C:\Windows\system32\taskeng.exe
taskeng.exe {D0EDE7BC-9159-4D69-9190-ABFF6977CB4A} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| PE | 190.187.52.42:80 | habrafa.com | tcp |
| BA | 185.12.79.25:80 | habrafa.com | tcp |
| PE | 190.187.52.42:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | tcp | |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
Files
memory/1852-0-0x0000000000330000-0x00000000003C2000-memory.dmp
memory/1612-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1852-4-0x00000000006C0000-0x00000000007DB000-memory.dmp
memory/1612-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1852-1-0x0000000000330000-0x00000000003C2000-memory.dmp
memory/1612-7-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1612-8-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\24a08177-5051-4a05-82e2-978b9537af99\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
| MD5 | 3c2b31e7c091650e12934ee8eeaeeb58 |
| SHA1 | 5848274e0b6da2d94d28b32314a5b9b56d2d7a5e |
| SHA256 | a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a |
| SHA512 | fde24a46c657248611e27feb5835eb76e12ba828028b1ba514ff98cf5046f122d68e179923f6c52edec0c97edc578f7a6e0671eda12799ce4351f934db0d6100 |
memory/1612-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2664-27-0x00000000002B0000-0x0000000000342000-memory.dmp
memory/2664-29-0x00000000002B0000-0x0000000000342000-memory.dmp
memory/2580-34-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2580-35-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab205C.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2f2f3c5a52379836dc15a1e6b6645956 |
| SHA1 | 1926098223f2c5da36107d5e146e19b95b58495e |
| SHA256 | 35c2e360cab77a557e95248429a15b137e7a69c7268d2b72c7d053d4bf42215a |
| SHA512 | 8613dcfeeea14bbe930540319ae52a605db722f4443f04319ba1a69a050143dd07a641ef2136c0978f9d661a44a0d12450e515584cbf933b09eee583a159c8c6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 0949ff744fb3ba42b01ae456dc6733a7 |
| SHA1 | c117219a9a1cb6469fe447f295108ee7f570ae64 |
| SHA256 | b4a92323e80f5b8cd3f2f148d1ac0fd80219f8f9d327755dcd0c409f5a7e7388 |
| SHA512 | 10121276da3190020a7a202e9f632607469c3f08809eeb54c75741b071c6341214af19f71e00440b3d127fceea2bf03f9cef8e1202419291d686a795fe2f177e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 053e0961fc5841d063419890e657216e |
| SHA1 | 85d420bf7c5370df818b7286ef3c9b9ff252ffea |
| SHA256 | 67ca9657ce00b3fffe57925a937ab31c0e86c40998775ace1e57fb1ede44601c |
| SHA512 | 0e38144f33364d16d17d5593b3eb04276a35f412c7a7f402f5eadd34c8866b4edd38b948181bc4f883ce004f0f948a89ab8808f42366e0e537db19852d7a7789 |
memory/2580-49-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2580-48-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2580-53-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2580-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2580-55-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
| MD5 | be1d2812607430d60569567b7417efd0 |
| SHA1 | 2e5c06ff36abae8514cfc313c731068c34dd2879 |
| SHA256 | 208392e9cb32d9fc672864b7dc4f6a0cac4e5004efe85d2c5038c41ccec37266 |
| SHA512 | b680191696b0ed32bd5eb25017ed4c2de4653b096d17346796dff0e06d34927224afcfe5bf97c88b56168f8742a7aef14ddbc7200c0724097cfdfa29b1340a89 |
C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
| MD5 | 06b47d11e7f05b7a8ec0403d48122dd6 |
| SHA1 | 1150692f659f6be1d39533a120afd8e6c39387aa |
| SHA256 | 0ae7aa899ec3b723c87028340addce96de143b5a691477d7066f61d8bdf6f471 |
| SHA512 | fa1cca60822e6050eb63d7b9f47c87b775b39bde92d9e968afbc29349e222631af960583017d643ac688895b47f630350a5318126483ef4f5536aecad66a0adc |
C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
| MD5 | c18f9a896b1a96762db5662853d6b94b |
| SHA1 | adf5965d077cccfd4e5d4a47137e65d19f5c6b48 |
| SHA256 | 94880e5d803d7001809ca823fd15484d2b3a87c8a5676952f3e4d08a1641f3c4 |
| SHA512 | 8d3f3597a9cb2f49563f479a6654521d2cefb687cadb13b81fc624ab1bc06c19f181b8890435866a5cc7928c0a22cd6b18ffb07e9431d110f08cf2027d2fceff |
\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
| MD5 | aa39bf5403592cd7dd43dd8f4cc9d07d |
| SHA1 | 3593659621b2bb7e32a78059308fff2be04f3c27 |
| SHA256 | 823d59f6b7a71f79bc83fd253b0561767e9b0568589c92933ee8be9fcc787ae0 |
| SHA512 | dea28d320a66027d4ad9c2c97df76cc0d087694b2c6967d996cc0a6b08fe4e2ab82c0e654c5d21b8dcd8726b1875e6ed41372be0d40cfaaccd5da63329bb41d6 |
memory/2520-72-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1340-75-0x00000000002E0000-0x00000000003E0000-memory.dmp
memory/2520-78-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2520-77-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1340-76-0x00000000001C0000-0x000000000020B000-memory.dmp
C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
| MD5 | 5cf27478cf33387fce38eef7054ab1f3 |
| SHA1 | 3c1d100942bd8e29fd329e2184bd30b558ba930e |
| SHA256 | 7566635be327d4851e820efbbaca604a1ddb34fe9cdd37401c2dfb65afb0befc |
| SHA512 | 337c4beb3a37323d14c530e83ee12a6720f37be8feb272268751bb77921a99461b096c3730acd9e4036069c78868aee008ee02ec28204f2ecccdcbcc7772f3c4 |
memory/2520-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
| MD5 | 5fdbc7061921001b06f5bcd8f1fd3e27 |
| SHA1 | bf1bb8bc1113827f3c615352fb7105d71ebf6e4d |
| SHA256 | 4f78c94ab539b688956081dac8e29b1505192f195c3d95be26f97c6c22fd5fe1 |
| SHA512 | eafd539c4c6489f3f522f1a05be71d8693c95db24a196361814d89c4173c405fda15258746886a42d8916bc9621ad8aab2c441f6c42512d25184b8af69373588 |
C:\Users\Admin\AppData\Local\Temp\Tar2CBC.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
memory/2580-114-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 684f353424c623330a61ea87a660b84e |
| SHA1 | 85699f1b3e449d07844d0bcf707f34438cc8abcf |
| SHA256 | b224357d2cb524e055f9bd565ff3edb55b6ed56ba636ccfb1f7a007aebd1311b |
| SHA512 | c6c437962047a3614eafa693c81c9b86a9bda04695ddc81b8df40dc0d16447855dd6dbdec9da720e1a381fb9b20a8477f17b585469545910e881cfbcab95ab35 |
C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
| MD5 | 864627bdf745eda7e7c9868aa5d8b2cc |
| SHA1 | d6355883f6edc3940c601f89a7f8d3902bb1c6fa |
| SHA256 | f86fbbe033bf6b10b72c0eab6e1614d35f81dac37e620a15b6dc6d8fdfe96c30 |
| SHA512 | bb5715d402c9b0ffaee53aa1e535b736f99d39dea83ea0efd575810aefc19e65dc9af6409549d2e89ad0cb2f06ed989ca1d3fdcefd6dbbf1bc012ae08e2b8316 |
C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
| MD5 | eba7dd24dbf26e11d00c46c1e31af97c |
| SHA1 | 7a0ab51fe542b995fda55824c28bb6634921ae9b |
| SHA256 | 5bbbed6d3670f160d2ab3d7714065d412c17a17285e167dd62dc0e731c29d1e6 |
| SHA512 | 5bf2e61bb4bdd2e61a974ed4da97e32c5327a34e817dd67e2a8daf52d28aa27e7c3d96474bef1a4af1e63ef7e456317092b4d9de9a6f6fc307d5169f8d4e9289 |
memory/2580-169-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
| MD5 | e979517f1b235c791ddcfa4e9973fd5e |
| SHA1 | 4c865c82232632d98af184f2387b51ad931bef32 |
| SHA256 | ca2cb2ba86cd09c65c4becc53038a430eb95db6170c635e5988aab08e97b509c |
| SHA512 | 43477b0a9ff2ef9fa940755a1406b62f2b6b5212d0a0e39ee6c003c591e0a606d70948d734b7fa38d71ec3b6745f4e203026c96fca76df42eec92e89d65590f6 |
\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
| MD5 | be0dc2b3392ddad04d79be0767d5eb2f |
| SHA1 | d7a703e75c5a6a5d8078b2eb5fc22eaa298958c9 |
| SHA256 | 197b33a766825f2c42aa0c3a9e91e9673614bf60222d4c8ff8fa5ea56bc0e693 |
| SHA512 | 6cd39681314a358a45c964771f2bfae3e8705ea4216dfa0d94ab3bf943f764242c27861c9efa9a9ee35960d196a5ed1e3522690d7cb776f6484e641e25b02f1d |
memory/268-195-0x0000000000C72000-0x0000000000C83000-memory.dmp
memory/2144-206-0x0000000000400000-0x0000000000406000-memory.dmp
memory/268-205-0x0000000000220000-0x0000000000224000-memory.dmp
C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
| MD5 | e48cde27b568bdf4f48005ea798a3499 |
| SHA1 | 1428bd2ad4882111aa578f93bba8d5ac30af5266 |
| SHA256 | 73f0cdba3653a614f06cd6d7292e8f3453007c0b5f1ae5f477c16cbee771a153 |
| SHA512 | d3593c6a1303f84aeedb78c34ab449f801f23627211abf0ac140d121601f618238e476c59af8267048865ef569cd7c2b0f31108f604cc4b6c52452a277c00dec |
memory/2144-193-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2144-209-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
| MD5 | 97876d29fdfe56e9cb29a0b93435dda0 |
| SHA1 | a863d84a33fb75ee4bc81203ed8fea77259cd8c3 |
| SHA256 | a8a871f0d8dac606050304539be45600d441021158ddbba96f38352169723b55 |
| SHA512 | fbd155089c7be72a0fb09b70d1ce76f4856fe28e4ce0ebf5b7e77fe20e327cf93fd8dd0e63113eb3efd9a6462674bd5c9f4fdb500c302a56b43e1861469a687a |
\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
| MD5 | c4070da9f9b0581171af16e681ccdff8 |
| SHA1 | 3fb4182921fdc3acd7873ebe113ac5522585312a |
| SHA256 | 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0 |
| SHA512 | c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427 |
memory/2520-226-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1340-228-0x00000000001C0000-0x000000000020B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1908-236-0x00000000008C0000-0x00000000009C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | ddd41c9f1e05950d887a19c5c0796aae |
| SHA1 | 7533f7c83bf2323b7cb473042992bdd28e69c444 |
| SHA256 | 31f6455c91ab14213dc328c9eb8ace57db24e1c238a0549442c44e5cb000716f |
| SHA512 | c600c984d78ed0dc3dcfd294e67126879e1355e446663ff550447ff2a436328324fb66968b359b0dcc3e60101afdfbd733f10319ade2a4ac93c63438ca62660c |
memory/776-267-0x0000000000992000-0x00000000009A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | ae4bd1b16336e053a817a1bbad696120 |
| SHA1 | 1ac2f5a2adfe10362b73545cc7b0a6c79ec07909 |
| SHA256 | 475a21db48099a03e0f01f59447f925718bcfe1044f2ccb54baab2369a2d4bdf |
| SHA512 | 027ab2ed7aea37df3c708331d6ddb4bf61ae7f4d5f2bb4362cd520508d047258e6a5ffe511d62158b49ee825ddf09739fae01948e524090950fd1e6e8ae82625 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | a796a4e9bda2490e70607932e085e289 |
| SHA1 | 58ae2353dae80e6499316336c58e902cd4ba9c4d |
| SHA256 | 0606cbaa53e55864bcb9e20f3426a2164734ea394ef14fd204a0a1431d10e575 |
| SHA512 | 9c79d33ab16a6f5a0510ce9db6527cb50547f31003d7038713a9f800cce8b8f6f6cb2784ceb751f05036d6be6d42b98efa05718d632245a323b4ee8e06bb29f0 |
memory/532-295-0x0000000000A02000-0x0000000000A12000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 956a0460a4c142fa6b5c70dec0872af0 |
| SHA1 | aade02ab4fab13ef34a88fd87a92990c079541ef |
| SHA256 | 35dcda33197b4f6a1dc8a45dde2e9dd6d25b67d53b6369d6a1d6192292c7ca0e |
| SHA512 | 162b7721dfe4d2f11283bb364ed3704022c2bd5d43692997f1ead52959b31e1d4bc3ad0126f72b9e694de1e7125cdc2f711f13b2a26c2bda8cc386f1ae871b9a |
memory/2712-321-0x0000000000900000-0x0000000000A00000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | fe3b3cbc34bba7a595ffa84ce906aff8 |
| SHA1 | fcfc5967cbf23df360952e4cbf37a23c3404e6b7 |
| SHA256 | bf6dde768f944e5bc829274a1c202e32c2e12ae1d16bc7a702f89dbb3dbf1d48 |
| SHA512 | 09672aa9eb5164aa87cafde7a61d7980f6b15f6b1dd5b7c5e67105c8689f0e211ab989ecefab5669199733bce586e8cd7fab81a2593be726d69565e647d8a656 |
memory/3064-351-0x00000000009D2000-0x00000000009E2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 1ccf31bdd875be9881991f56c08408f6 |
| SHA1 | 4aa6366088d353b1a06ec141481b863cd42c0a75 |
| SHA256 | 74b214e76c8dae00ce66e996c9b7380dda5565eb6ec6806c7c50568614711fc9 |
| SHA512 | d3ad73d1f449eb75194688500d7f0d963b0579029338396ae1be19f07a6a831680e8770f4d3f1bba4743628e96d490e51427dabf9dfff0930fe6f8272f8caced |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:55
Reported
2024-01-15 05:00
Platform
win10-20231215-en
Max time kernel
297s
Max time network
304s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ff4b3cd0-a953-4de5-bc46-5112cba09b7e\\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe"
C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\ff4b3cd0-a953-4de5-bc46-5112cba09b7e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe
"C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe"
C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe
"C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe"
C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe
"C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 1928
C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe
"C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| BA | 185.12.79.25:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| PE | 190.187.52.42:80 | habrafa.com | tcp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 25.79.12.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.52.187.190.in-addr.arpa | udp |
| PE | 190.187.52.42:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.0.202.116.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
memory/3784-1-0x0000000000720000-0x00000000007BA000-memory.dmp
memory/3784-2-0x00000000021D0000-0x00000000022EB000-memory.dmp
memory/2544-3-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2544-4-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2544-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2544-6-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\ff4b3cd0-a953-4de5-bc46-5112cba09b7e\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
| MD5 | 3c2b31e7c091650e12934ee8eeaeeb58 |
| SHA1 | 5848274e0b6da2d94d28b32314a5b9b56d2d7a5e |
| SHA256 | a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a |
| SHA512 | fde24a46c657248611e27feb5835eb76e12ba828028b1ba514ff98cf5046f122d68e179923f6c52edec0c97edc578f7a6e0671eda12799ce4351f934db0d6100 |
memory/2544-17-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2980-20-0x0000000000710000-0x00000000007AB000-memory.dmp
memory/3320-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3320-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3320-24-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 57313eb3ffa096f23faa8ee3cafae685 |
| SHA1 | 6de8364f5146921d7f2faa22a5c4927bf93d7634 |
| SHA256 | 4de57d50cf948cd713380aab3a43b0e57c8c8313d891b60082c08f9cb2214abf |
| SHA512 | 97aaeab67fa1640a635e3af6900ef8f531bde377195fd76955c0fef6cf6d7ac1abebbeb881307cb20fa882941f414dacad5be945496a9b4f6b962f69f4bd0a65 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | cdd2a66680e57ed3177202af8e0e3e76 |
| SHA1 | 5f8cb7912c9122161fd49eb608a5722f37e0f0da |
| SHA256 | d641ee5febeac49f522fb93abcf5e7fd0cbdd543f984cf27545ccac395135337 |
| SHA512 | 55eaa6335b0ea858b3207e5197f340ab74b69596e1aaf8101c98dbd201d7ccd8823ebbb62ab92d420cee3bd120192f8ab9923c4c9e31b948f8a3e6cf22ed5c17 |
memory/3320-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3320-30-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3320-34-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3320-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3320-37-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe
| MD5 | c4070da9f9b0581171af16e681ccdff8 |
| SHA1 | 3fb4182921fdc3acd7873ebe113ac5522585312a |
| SHA256 | 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0 |
| SHA512 | c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427 |
memory/1444-46-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/1444-47-0x00000000005E0000-0x000000000062B000-memory.dmp
memory/4268-48-0x0000000000400000-0x000000000065E000-memory.dmp
memory/4268-51-0x0000000000400000-0x000000000065E000-memory.dmp
memory/4268-52-0x0000000000400000-0x000000000065E000-memory.dmp
memory/3320-56-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/3320-62-0x0000000000400000-0x0000000000537000-memory.dmp
memory/864-67-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3680-70-0x0000000000970000-0x0000000000A70000-memory.dmp
memory/3680-71-0x00000000008E0000-0x00000000008E4000-memory.dmp
memory/864-72-0x0000000000400000-0x0000000000406000-memory.dmp
memory/864-74-0x0000000000400000-0x0000000000406000-memory.dmp
memory/4268-77-0x0000000000400000-0x000000000065E000-memory.dmp
memory/3248-84-0x00000000008B0000-0x00000000009B0000-memory.dmp
memory/4264-87-0x0000000000400000-0x0000000000406000-memory.dmp
memory/5068-110-0x0000000000A00000-0x0000000000B00000-memory.dmp
memory/436-116-0x0000000000410000-0x0000000000411000-memory.dmp
memory/5040-139-0x00000000009A0000-0x0000000000AA0000-memory.dmp
memory/688-164-0x0000000000A40000-0x0000000000B40000-memory.dmp
memory/1492-191-0x0000000000960000-0x0000000000A60000-memory.dmp