Malware Analysis Report

2025-08-10 18:25

Sample ID 240115-fkfgyahgcl
Target aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293
SHA256 aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293
Tags
djvu vidar discovery persistence ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293

Threat Level: Known bad

The file aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293 was found to be: Known bad.

Malicious Activity Summary

djvu vidar discovery persistence ransomware stealer

Detect Vidar Stealer

Detected Djvu ransomware

Djvu Ransomware

Vidar

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:55

Reported

2024-01-15 05:00

Platform

win7-20231215-en

Max time kernel

300s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\47bd7c2f-ee7b-492f-a462-50d917e3781f\\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2192 set thread context of 2196 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2580 set thread context of 1804 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 1536 set thread context of 1748 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe
PID 764 set thread context of 2356 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe
PID 2716 set thread context of 2548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1132 set thread context of 1332 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1012 set thread context of 2444 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2556 set thread context of 2024 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2192 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2192 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2192 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2192 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2192 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2192 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2192 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2192 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2192 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2192 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2196 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Windows\SysWOW64\icacls.exe
PID 2196 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Windows\SysWOW64\icacls.exe
PID 2196 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Windows\SysWOW64\icacls.exe
PID 2196 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Windows\SysWOW64\icacls.exe
PID 2196 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2196 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2196 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2196 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2580 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2580 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2580 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2580 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2580 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2580 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2580 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2580 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2580 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2580 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 2580 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 1804 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe
PID 1804 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe
PID 1804 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe
PID 1804 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe
PID 1536 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe
PID 1536 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe
PID 1536 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe
PID 1536 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe
PID 1536 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe
PID 1536 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe
PID 1536 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe
PID 1536 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe
PID 1536 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe
PID 1536 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe
PID 1536 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe
PID 1804 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe
PID 1804 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe
PID 1804 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe
PID 1804 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe
PID 764 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe
PID 764 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe
PID 764 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe
PID 764 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe
PID 764 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe
PID 764 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe
PID 764 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe
PID 764 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe
PID 764 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe
PID 764 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe
PID 2356 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 1748 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe

"C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe"

C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe

"C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\47bd7c2f-ee7b-492f-a462-50d917e3781f" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe

"C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe

"C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe

"C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe"

C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe

"C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe"

C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe

"C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe"

C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe

"C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 1440

C:\Windows\system32\taskeng.exe

taskeng.exe {89AF5E08-029A-464F-87A0-2EE977D661BE} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
PE 190.187.52.42:80 habrafa.com tcp
MX 187.211.34.211:80 brusuax.com tcp
PE 190.187.52.42:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp

Files

memory/2196-9-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2196-8-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2192-7-0x0000000000310000-0x00000000003A2000-memory.dmp

memory/2196-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2192-3-0x0000000001F20000-0x000000000203B000-memory.dmp

memory/2196-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2192-1-0x0000000000310000-0x00000000003A2000-memory.dmp

memory/2192-0-0x0000000000310000-0x00000000003A2000-memory.dmp

C:\Users\Admin\AppData\Local\47bd7c2f-ee7b-492f-a462-50d917e3781f\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe

MD5 95a407562c1f5ff8d8c1de430349eb99
SHA1 638407b2f67ac47b69c5fa03b55144563e1c440d
SHA256 aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293
SHA512 d457d3275a4f0ee66a984b203e9fa5a1403e8f9ecbfd5e9cde11bab1e486fc0cb554cd05c6c892bf9ae59b7aada67eafca6a6deb39dd2051310fe757f28949e5

memory/2196-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2196-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-30-0x00000000002E0000-0x0000000000372000-memory.dmp

memory/2580-31-0x00000000002E0000-0x0000000000372000-memory.dmp

memory/1804-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1804-37-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d7d152fb25ee2df64347110e3013dc0
SHA1 23b37f681135ee94b225a7068777fb10de55c2bc
SHA256 ecab10539d28835dc8fe625f89d5e5f195f3fbac2ad20c455a9bd9afbeb52ce2
SHA512 b2b8ca81bb81af332e0ca1b06100def99a55c2c22c3d9b464c6728ffc66d1aa500e4f1bc2ea20147dc1334bab8d9cefa5cfbfbe647524f6947b2a8c42c9bf7c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 5352ae64240eb7600915d14885b51f6d
SHA1 9f86a9fd06c7cab910a9a98ab6664687376a7438
SHA256 47e768fcf1623a13df23cdd5247ab62211036d0c5d19952a77f3851f83d84cd7
SHA512 6d4c66b74d90e6c562ea996e55827a27ad8ffa6a6cceadb0ae1af237fe39d74d0472cdd0a28afded99e1a7695fff79f704de515809c7000d30eb2a380eeaeab9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 ea007376bc121793f2e73461573265ed
SHA1 5a4b11700b234824fdd96d588ed7e927ee83d7cd
SHA256 8bbafd8bc25a858899f87681352e4cfc41a19de628489e3659247ac09445f4ae
SHA512 534750d75206327358b444a38a27bb62b16cd9d48b817a2fad5371172100cd63480faf0de88b65f3e2a3dc0a97f0e921a2de8d6f16919ec0ddc1dc5a314cb930

C:\Users\Admin\AppData\Local\Temp\Cab86CC.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/1804-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1804-51-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1804-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1804-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1804-58-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe

MD5 c4070da9f9b0581171af16e681ccdff8
SHA1 3fb4182921fdc3acd7873ebe113ac5522585312a
SHA256 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512 c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427

memory/1748-74-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1536-75-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/1748-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1536-76-0x0000000000260000-0x00000000002AB000-memory.dmp

memory/1748-79-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1748-80-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1804-81-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1804-92-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar9CEC.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 30633d103473b8cd118489ee729f22f1
SHA1 49fc2f080762b7f427356231a6254c08a77eba88
SHA256 f664bbcef779325efa40af522f55ddb70f2b06e7744330d06b37e800e8363b53
SHA512 4f3827143aad52c2c25805f1671386cc4e9f4b4787fece422beddf5b468d50c7af6c0f57d9d9a38b302f6992301a52d5783e6fa2f97be6dc6e9d90d5debd0220

memory/764-176-0x0000000000870000-0x0000000000970000-memory.dmp

memory/764-178-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2356-179-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2356-182-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2356-184-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1748-228-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2716-239-0x0000000000230000-0x0000000000330000-memory.dmp

memory/1132-272-0x0000000000980000-0x0000000000A80000-memory.dmp

memory/1012-301-0x0000000000990000-0x0000000000A90000-memory.dmp

memory/2556-326-0x0000000000C50000-0x0000000000D50000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:55

Reported

2024-01-15 05:00

Platform

win10-20231220-en

Max time kernel

295s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\de28997d-8d73-409f-b4d4-a8479a7737a6\\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 308 set thread context of 32 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 4764 set thread context of 1904 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 1648 set thread context of 4960 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe
PID 2352 set thread context of 4924 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe
PID 2464 set thread context of 4644 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 920 set thread context of 1912 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4800 set thread context of 1288 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1072 set thread context of 4508 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 308 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 308 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 308 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 308 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 308 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 308 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 308 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 308 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 308 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 308 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 32 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Windows\SysWOW64\icacls.exe
PID 32 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Windows\SysWOW64\icacls.exe
PID 32 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Windows\SysWOW64\icacls.exe
PID 32 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 32 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 32 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 4764 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 4764 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 4764 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 4764 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 4764 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 4764 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 4764 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 4764 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 4764 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 4764 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
PID 1904 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe
PID 1904 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe
PID 1904 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe
PID 1648 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe
PID 1648 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe
PID 1648 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe
PID 1648 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe
PID 1648 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe
PID 1648 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe
PID 1648 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe
PID 1648 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe
PID 1648 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe
PID 1648 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe
PID 1904 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe
PID 1904 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe
PID 1904 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe
PID 2352 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe
PID 2352 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe
PID 2352 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe
PID 2352 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe
PID 2352 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe
PID 2352 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe
PID 2352 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe
PID 2352 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe
PID 2352 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe
PID 4924 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 4924 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 4924 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2464 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2464 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2464 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2464 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2464 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2464 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2464 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2464 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2464 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4644 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe

"C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe"

C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe

"C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\de28997d-8d73-409f-b4d4-a8479a7737a6" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe

"C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe

"C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe

"C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe"

C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe

"C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1912

C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe

"C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe

"C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
BA 109.175.29.39:80 brusuax.com tcp
AR 186.182.55.44:80 habrafa.com tcp
US 8.8.8.8:53 44.55.182.186.in-addr.arpa udp
US 8.8.8.8:53 39.29.175.109.in-addr.arpa udp
AR 186.182.55.44:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 196.0.202.116.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp

Files

memory/308-2-0x0000000002140000-0x00000000021DE000-memory.dmp

memory/32-1-0x0000000000400000-0x0000000000537000-memory.dmp

memory/308-4-0x00000000022D0000-0x00000000023EB000-memory.dmp

memory/32-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/32-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/32-3-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\de28997d-8d73-409f-b4d4-a8479a7737a6\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe

MD5 ba60132ec243d6706685ad319ddddcfb
SHA1 8072f04eaebb403359596ce41b3639b13fbba59c
SHA256 67734fa79f54ee897f01ba1d8316a6c58ce2d3846d505203849412b084d705cf
SHA512 4a92641de472153e582a79fa37977c8c5a11e084b1d51aaa5f7640381e20f5c148ca3cf1b4a7aba039a6030227092d99c8cb3eff2b5ef1eb22b448b129a4846f

memory/1904-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1904-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1904-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 6fe0ccb584239bd0d75208b5043fb272
SHA1 d9f0e1fd7b35ff3986b4cbe2ad738577863b4788
SHA256 a7848b992fcec6370e232b62640cb0765768e1b723ed392b3fadde3d34c5ffe0
SHA512 d99b524ec8bb5d85d1d7f4569debd9a6e3d8baef0d17ccd756b60cca789deead5b76bfc16f4ea1ad0985ce2714f498b5e9d23db9214af262ad1290097b569f05

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

memory/1904-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1904-29-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 89ae2a06f6ef4b6df63a1d1a00100d57
SHA1 5524d132d54856c6c15dd362143978cd16ca33f8
SHA256 934634313744ba70fa34de947719b64ab4d5a55500b593fb5703704a3182b8c0
SHA512 343b52dffc04ddd75ec4f42f5bdf8f6129f2a7b45ed6d3cdcc7989236b6cf723c3422cd7efa8729c7c5fc419470b80f9d0882b1d4e434182c7b9183e4168dc3a

memory/4764-20-0x0000000002040000-0x00000000020E2000-memory.dmp

memory/32-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1904-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1904-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1904-36-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe

MD5 4470ae6d1fdd15e2ee1ee7cd5e367095
SHA1 a98ceeba1ad55b6c8a8306178e922e9efd9d4f05
SHA256 25e717b8b5f39d20acdd619cf15155f6a0cf5257302f7489276e4c8ec64175f1
SHA512 c707461376dd24885978bd60ffd936338bbdb85333ae7b2a308994c8039d632506ef0ce01585af9e189e84c68f86c399ae4c809e53897be22aaa34ed951168a5

memory/4960-46-0x0000000000400000-0x000000000065E000-memory.dmp

memory/4960-52-0x0000000000400000-0x000000000065E000-memory.dmp

memory/4960-51-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1648-50-0x00000000020A0000-0x00000000020EB000-memory.dmp

memory/1648-49-0x0000000000460000-0x0000000000560000-memory.dmp

C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe

MD5 0db54f634f9a638b2bec2c602e97d52c
SHA1 30acccf74b2f5acb45daaf3c6f8b5ed1d081d149
SHA256 65c7ce17c1511f20321938530cce8d87961d5ca625d4db87c2bd6118ca55dd1e
SHA512 d9d6cd3edf4ab3a3b61b863ea27d3d6c1f9f26a3596bc8bb5a1608ebb68657e1a4dee605775daedfcf98867d19a9686cbf2ad7142faf065f9a3b10ea3a355027

C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe

MD5 7d08821de6b860d813703ac8030bb8a6
SHA1 dd5d9275bb59f53b0721dbb260fa15839f16d6fa
SHA256 2b205a8936766885f7f93bcb6c0c0cced7678a22ab79525859f6c515635d26b3
SHA512 7b2657105010bdc2ba9a7ea05db5c46e87c45f908f62963f6e6749b402aed14977ca0f2f2b6659fc114a8034af77abb5af93bd4f1b44834f01958a81bec64b8b

memory/1904-53-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1904-64-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4960-66-0x0000000000400000-0x000000000065E000-memory.dmp

memory/4924-72-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2352-76-0x0000000000B49000-0x0000000000B5A000-memory.dmp

memory/2352-77-0x0000000000920000-0x0000000000924000-memory.dmp

memory/4924-80-0x0000000000400000-0x0000000000406000-memory.dmp

memory/4924-78-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 96c537da5e32398b156de85720d9838f
SHA1 89fc76f360c09ee1597af616ff2acd43669f682f
SHA256 69bdddd91bdd75415d27b04b89a2dfd4d9f58c9527bad9a17d19586d57351b6c
SHA512 19cd60e1e8641e568aad4c88aa6167e961f64f1890cb5d7d4cf6c3b1a0fbeea053c3b1b48161ac6982d5feb5ca9ef72585a5cff43a099e6e1aac2fb13c7cc246

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 c8a396d2eff0482c757d97a0f3f9a6da
SHA1 90152104157eb1c381757bb24a8e1455fbc9d216
SHA256 0f16a0ab2f4a07f517356787e5046ac2af0c0b021250cf178b1f7e1a7d8d802e
SHA512 89ca81bef0789b26531cfdaad751500c313ea82db8e0fc5c72526dad9b74f51ddf26d20bc8010066c6f1d1fe515a97da7d1d03b7d69e0e2e16242362f162dae4

memory/2464-103-0x0000000000A4A000-0x0000000000A5A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 d252d19a3a2e6e458bce14342a3322a8
SHA1 62764d56d888e35816425c80e41a5933633bc548
SHA256 3b712598960ee46835d5bd085b7da4e9b235da25d3b299e28b294af6b277c225
SHA512 c4e1f4a8550bbda3291feb155b05a5428761aef6b9968c60443c007a14bd0137d45e4f68de15a41d2ba85e26e0a449f1297f253ffc31a68af9c0a42acc24bb76

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 28a2a6e9f4adb79261e929ec6f1dc817
SHA1 e1e7940aae7cbb6f08d8642fd10a7da8764dde72
SHA256 920e6db6038bb4d006f7de2ebe05147be968bc4c68b35e8f617d6fab800e9342
SHA512 0bb02e2c7b7f57f3de754182eb1e50cc83f7db3f7538397a96c8b900056c7fe9396d951aba6516e9cfb847e205673dc675b33e268c21caed70bb35c211b10322

memory/920-125-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

memory/4800-153-0x000000000091E000-0x000000000092E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 13f664830f31122210ed85c795847487
SHA1 0b39cc01bbb89261c2b3e0db4dd091fcc99a9ffc
SHA256 15694ccb0ae6829dcb4ba4225eb46ff766d8c3303d983cfc3554957c7b92177a
SHA512 1447bebf73b849ef2a97f4f302cdbc8e678eefaae7d2386ec5e96da5548d292dbb9920ffe4f69ff0e2b9f76964011789c717fded901ac10ce9ebc9be8f5c4c3f

memory/1072-180-0x000000000082E000-0x000000000083E000-memory.dmp