Malware Analysis Report

2025-08-10 18:25

Sample ID 240115-fkxffshgdj
Target b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877
SHA256 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877
Tags
djvu vidar discovery persistence ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877

Threat Level: Known bad

The file b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877 was found to be: Known bad.

Malicious Activity Summary

djvu vidar discovery persistence ransomware stealer

Detected Djvu ransomware

Djvu Ransomware

Detect Vidar Stealer

Vidar

Downloads MZ/PE file

Executes dropped EXE

Modifies file permissions

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:56

Reported

2024-01-15 05:01

Platform

win7-20231129-en

Max time kernel

298s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1a841c40-07de-44a9-bedd-c24a30328690\\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2816 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2816 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2816 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2816 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2816 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2816 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2816 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2816 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2816 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2816 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2824 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Windows\SysWOW64\icacls.exe
PID 2824 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Windows\SysWOW64\icacls.exe
PID 2824 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Windows\SysWOW64\icacls.exe
PID 2824 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Windows\SysWOW64\icacls.exe
PID 2824 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2824 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2824 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2824 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2580 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2580 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2580 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2580 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2580 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2580 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2580 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2580 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2580 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2580 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2580 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2784 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
PID 2784 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
PID 2784 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
PID 2784 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
PID 2900 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
PID 2900 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
PID 2900 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
PID 2900 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
PID 2900 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
PID 2900 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
PID 2900 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
PID 2900 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
PID 2900 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
PID 2900 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
PID 2900 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
PID 1228 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1228 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1228 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1228 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe

"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"

C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe

"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\1a841c40-07de-44a9-bedd-c24a30328690" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe

"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe

"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

"C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe"

C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

"C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 1452

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 zexeq.com udp
MX 187.211.34.211:80 brusuax.com tcp
KR 211.168.53.110:80 zexeq.com tcp
KR 211.168.53.110:80 zexeq.com tcp
KR 211.168.53.110:80 zexeq.com tcp
KR 211.168.53.110:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
KR 211.168.53.110:80 zexeq.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp

Files

memory/2816-0-0x0000000000270000-0x0000000000301000-memory.dmp

memory/2816-1-0x0000000000270000-0x0000000000301000-memory.dmp

memory/2816-3-0x0000000002150000-0x000000000226B000-memory.dmp

memory/2824-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2824-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2824-8-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2824-5-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\1a841c40-07de-44a9-bedd-c24a30328690\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe

MD5 5d797e409679eea82284f632621d381e
SHA1 1a39daedecd2bc86f82be93f5472bf854ea42c55
SHA256 0bbcc37eae9bee724392d7bcf4dcc6da1af88842c7e2d330cf2a24797f90ed59
SHA512 82630668581a377bba07014a250c4a8c89658d84e1993628c86f2e3cc7614a16e58e61b3e7e09a92ac4e0bb5f8397e8649997c4e9087554308a65dda5bfac156

memory/2580-46-0x0000000000320000-0x00000000003B1000-memory.dmp

memory/2824-44-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-51-0x0000000000320000-0x00000000003B1000-memory.dmp

memory/2784-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2784-52-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 47268c3ffbac0c61e214b091fb6facbb
SHA1 43861b5bec5145814d57f1513cff7ce5d11d8e74
SHA256 d0525e9c72697dcd3b910ff5288580ac0da483bb5d1a975301c9d5126b13754c
SHA512 aed989aaf634be8175995fb051b207fb54782fb3a3cebcc0fdb874e8974c8260ebed8d9a4e6d648533957000b8ed29a9db80627f32185abf0646e1fc6ade0084

C:\Users\Admin\AppData\Local\Temp\Tar44CE.tmp

MD5 f5c6e61c91a7b253dbe6462e615ca9dd
SHA1 590d200344662206b57813537f2827896a73ac97
SHA256 d4a26b899102dc12f1d13af2113635fdbed10f37f2a6cc7b45f9589b3062f8eb
SHA512 0ebd863c46e6ce48ad67da98aeb599be5122e867e558c458cc41d9471da43ee7f5067a21ebc0cd387b121c14b6f3dc9e9169405c36d71f64f210d3d2a062f950

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bce41f16984f847251021417704a2a23
SHA1 1a43c25460ffb2d499bc1a2c3067b0561723d99e
SHA256 be9a0c9d3d81e6509b0f2836fde92a2c4ab223f620f520699b6b946f82645862
SHA512 3dab28bcf0c7b5c407a903615daee4c5f475acd95ac72dd431f70a93895e01a40ff5d44df70976977c2ded372ce50a4f6c1ca5d42cb2230043004e1e61888fed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/2784-70-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2784-69-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 ab037d9b7fa676510d4ec3481ac70766
SHA1 243ab545a96b308741ede24dd1e5daa6e2f08d10
SHA256 814f863b6a48b2a36db29d170d321ba6394d8d68643a02351252cb6e2a065329
SHA512 2b61ca9ca654f3b963596bc23f14331a3b7c9acf562a2b7e556fa8203e12bb978ea001789f475c0d81c8a2f7127f2421acb2d3a2ebdfdc9d5b73aeb87bf516e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e77f2bc5804e7a1f744af1ea7070972c
SHA1 8db94531344956166c152163a4ea9e123f000bd6
SHA256 ccff609e350153d27c0829ba54828127468f691c028a9564b2451b1d70e24bd3
SHA512 e674994e071334c90ef3a090617c0bd9dc870dfcc290bb411b86f1ed0932d652a2d44e187f564ed12ad0b83a60803689bf5b0b4345bb1ae5857bbaf9f92f0932

memory/2784-71-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

MD5 d3f0da32be16048d8e09c4de1138cb96
SHA1 57d11a8fbcb85c697acbe220797a886abdee513b
SHA256 908968f164e9bd7b8f2956a0f82d520742a1aa8367418df1f0998a17fb7f7ac0
SHA512 9ddc2266923ef76d91a7c97760b11a30ad524e19d737eb2b194aed02791c93a687302fcf0e3dbb3184d27df1195066e96ac2f7b68a9067a1cb6581555c82d64c

C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

MD5 37a2311acfd0a649382f8acb44b5f84c
SHA1 46c9b9c005a9e44176de57d53917246cec478cd6
SHA256 41c8bba3ff6970ce4cac4599a2ab4854c65bd235346bc4a461e69d72d8481c17
SHA512 c3ac8ff1574d456b855201b5ad56e27dcd2a057a56a0b15d433c573c82428feb5f5c4b4cd5f27b719aafa3cf08025658b0b26214ae94c3e6b4571d90780a9066

\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

MD5 05cfb5662a31f3bbd39b792435bdc8f6
SHA1 06eccfdf15f1bac9e18212b14a247c3eefd0aac0
SHA256 de1b6b2abbe4102cec8ec7dea380f0676cbab2d4975c2a8296ddb31fa62208ea
SHA512 70ed4a8ee0281490a1fea253b94924a63615bd6f336152fb9a80693f778894b3859cd8f452b44e3dd8761db0f5f479dfeb8d91959685839c9bf47fe312037f2e

\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

MD5 0588890c13a01b0e8a72d02a0286f47c
SHA1 4b8ce85288e926bbdbe02cf37001bef00c8b11a5
SHA256 784cf1489e65f620fb7c29741c6386da729d9021a34701761e72bb89dc82919f
SHA512 ef9589a3bdd50d0267954e4195008f842dbfe8fa365f83649fcd2cd47bfedad6cc339dde2943347abd576e3f53c3cdd4c3535d556c654fa8581701fc83c017a9

memory/2900-91-0x0000000000230000-0x000000000027B000-memory.dmp

memory/2900-89-0x0000000000520000-0x0000000000620000-memory.dmp

memory/1228-92-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1228-93-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

MD5 2fa91df5f2e1f224f09febef7b0a4933
SHA1 c17ea646c85f20cc525b3f150deefd8b8826a244
SHA256 51b2f2a87b218ce2141707428cfe6dfa65fd5595c1162001a912e1124910e36a
SHA512 ee5e2429987405b1939bcb9031e562abb2a99678c883ae62455a7c5be6f381ea8c0c92ea2e69b03bbf34a4b6eacd66ff5b6f290f687fa97974e918b1e0baf1d9

memory/1228-87-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1228-85-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

MD5 3f4032a03dd330e5610b37669ef7fb33
SHA1 626c785d2074043274d45a5c178a47f09f5d0a6a
SHA256 a7de3256cb8b91d6dc4f3cdc4edaf072b73253448dd4c4e902006e59cc272875
SHA512 66a3c62d45f36814b2813e626bd8589ba2b4c59e7bf533e5806dcabb5aaae30508b47b5cd0499d0d24134868f7102cc343cda4c04d7ea73154ac767bf41c513d

memory/2784-128-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 92e4249ba13ad7679cf0c11cd7c66078
SHA1 413b21cbf7202a6516e6f9a17a61bc01efe50555
SHA256 da46df30188966e39ed3ae59ed076a7b2261b08c3aabbb746c07e5d7905682fc
SHA512 549291f29be8a82754aca3c6cdf31373dace732bb6e6a167c8898dba9de74394524189897a1d59f6e28dbeac359ee2ba6d68e8b7e367d5abb2bb6dee9e0c9252

\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

MD5 bcfbed5369d194284bffd441c44ed1d0
SHA1 9cb909598415a906bde667a2d2c2bb334779d665
SHA256 df3496dd84f96610eed78cd3a17628e085e7af78fe90d250c62f945bdb1ffa10
SHA512 52ada2a37a1ae5574aca28db52266378fc5c0bfc99bdce63057c08d751333a021782a6f053b67bfb9dca5cb704ea6b29b0c518c7c38c13ee8b0179b5f4715b3e

\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

MD5 fb43147c03f7a6d085e138f2b3708418
SHA1 f41d6c594fa581a60650d119e5089313b2ca9f00
SHA256 143c91d11dc5d687cde50f8eccbd4b7d90a57bea361323ba6273b6c596073c0d
SHA512 ddba7812c9dde9342d243930ff31fceba7fcc6d037f3f53c37242cf70533b354da329f6d20a53c03a563af70ff00d455c0db6948b36b718375a1e05a720cc5c7

\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

MD5 dd13edb641027266050a817a341413f4
SHA1 9d78717d8c0e36528b47c2b19b400c0e4067911d
SHA256 9fb21e9bb6e3ae9abbf20c43f2bef9f9efd5cd5c128afeef26a1c9cfec98eb17
SHA512 61283697c5541eda9333ab601c818388eb06e7e81d967804915365cb9cc79f95f46c4179ff71daabf414bee8cd15f967739bcd1245a7fcc9a7403f2fa3821a6c

\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

MD5 0b35986e46e2d0938eb91431983b8dc6
SHA1 e4ee9a3e8bca24ac1be81391a592e8f685ea02a3
SHA256 4cd49614ab78719ccee3ed7dceff9c50c2da010042eba2eb32e0bb90fbdbffa5
SHA512 62313eadfe92dbe8e3065095001c0221c25b2044a47c151d072827e8953becf5f52deaa5274de007ef52f50082b9c6f3c2d34cab9536d4e9f5299f8bdd996d1d

memory/2784-215-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2784-218-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2784-217-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1228-219-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2784-220-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2900-223-0x0000000000520000-0x0000000000620000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:56

Reported

2024-01-15 05:01

Platform

win10-20231215-en

Max time kernel

298s

Max time network

305s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\43d29600-5dd6-4448-aee8-79e285f7fb51\\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2780 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2780 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2780 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2780 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2780 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2780 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2780 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2780 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2780 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 2780 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 3236 wrote to memory of 164 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Windows\SysWOW64\icacls.exe
PID 3236 wrote to memory of 164 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Windows\SysWOW64\icacls.exe
PID 3236 wrote to memory of 164 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Windows\SysWOW64\icacls.exe
PID 3236 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 3236 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 3236 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 4892 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 4892 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 4892 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 4892 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 4892 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 4892 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 4892 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 4892 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 4892 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 4892 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
PID 4128 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe
PID 4128 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe
PID 4128 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe
PID 4068 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe
PID 4068 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe
PID 4068 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe
PID 4068 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe
PID 4068 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe
PID 4068 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe
PID 4068 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe
PID 4068 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe
PID 4068 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe
PID 4068 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe

"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"

C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe

"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\43d29600-5dd6-4448-aee8-79e285f7fb51" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe

"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe

"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe

"C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe"

C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe

"C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1936

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 zexeq.com udp
KR 211.181.24.133:80 zexeq.com tcp
BG 95.158.162.200:80 zexeq.com tcp
US 8.8.8.8:53 200.162.158.95.in-addr.arpa udp
US 8.8.8.8:53 133.24.181.211.in-addr.arpa udp
BG 95.158.162.200:80 zexeq.com tcp
BG 95.158.162.200:80 zexeq.com tcp
BG 95.158.162.200:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 196.0.202.116.in-addr.arpa udp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
BG 95.158.162.200:80 zexeq.com tcp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

memory/3236-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3236-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3236-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3236-2-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-3-0x0000000002670000-0x000000000278B000-memory.dmp

memory/2780-1-0x00000000024D0000-0x0000000002564000-memory.dmp

C:\Users\Admin\AppData\Local\43d29600-5dd6-4448-aee8-79e285f7fb51\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe

MD5 5f8089b3a19ea58f0f2431274366dce3
SHA1 58014605c7eaae071c0ce455ad42c8caa713e68f
SHA256 0516efbad9bafe2771191e869fbef3beb29ba8cd6565439caacbcb510f6d3b89
SHA512 7b49fd6c906209aec32cac9a5a0cb482831fa951a53c58aaf0f8cee123df6945fc0f702448c6048a59b3192fc6ab36ff9c834762812ed83b82d96188b52adda9

memory/3236-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4128-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4128-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4128-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4892-20-0x0000000000970000-0x0000000000A0F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 590edb01a32cb6fa43e01075be2d4af8
SHA1 02edb562a756399828a6ec14a5636b37e1b3ba7c
SHA256 d3d158bba48acf754df84ca27eebb16f6636029212a4c13ff0227feece88dd6a
SHA512 45031d2b78d3ee5297090a4457f7d44d3ca5530d3dade78f5bbb1ce7143421cda864b3714e2b4e46cc1a7c6d73c740fc565772ba615ebcc3c82d572e869b3c57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 769697d3cfda6384e234f92e8ca141cc
SHA1 a88b33273f8362f402a31c98d078ce28d25847bf
SHA256 e217dc8f422c50d7560fd033836fd578965cdfa863fb7b5fa37451960ce6ff65
SHA512 67389550c2f1be186bbc5c33006ef1d08dbfb1d86575e361025006006df255738d7593011554e90f28a3998be193de53128b02034e0d1745dca5e261fadf6844

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

memory/4128-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4128-29-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe

MD5 c174e289ca298c4fa52fc9025d4a8c52
SHA1 c29facd4869d8d2e74e1281f5b98c74f6a996571
SHA256 3ced2cde34675e21a2b93805f85a5d3605835182d39146e84fb7265cf2cfaf46
SHA512 1df2b666402fa5e1fd0d1beed7eb507a2066636d9aa3f69120b605c53e48fe29334ae0da43be6280b4d11b9218e9fa3cd8ee3d2bd2f61a0290e06a67e53d1619

C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe

MD5 4b1ec785c148475592f2344328bd9a2d
SHA1 de99f7bd3dd7fe31ed208e94907b3760659c7146
SHA256 550606d4416297ae0c76c8e4c17f813d94c8e3e74bf158c4877692e37d071f1e
SHA512 87475eb6159690a2c2619bfee34ef2830997dc8e5f6e4ee389ab5e1036f2c0444a5b427d88764318a34c02bcca5e3c7345b108ad8323a1d52fcb2a396ec50a21

memory/4128-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4128-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2440-46-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe

MD5 70c19c3ee72b34a5bf0cb0393c4576b9
SHA1 7d576b13bcaa796424c407126e90186dabfcf89e
SHA256 e4dc20abd97137131bdfaec25fe2ae80ded6e952082ebeab4f744bb815a7fb75
SHA512 27907226d95b63847f7e34d006260faef15194b8e2b67262e140e458fcacbc67e84b4d3d28c309a26e66a4e74dbd7292271403cc0d1f7b0f0eeb9695b9999021

memory/4068-42-0x0000000002080000-0x00000000020CB000-memory.dmp

memory/4068-41-0x0000000000540000-0x0000000000640000-memory.dmp

memory/2440-40-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2440-47-0x0000000000400000-0x000000000065E000-memory.dmp

memory/4128-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4128-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4128-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2440-56-0x0000000000400000-0x000000000065E000-memory.dmp

memory/4128-57-0x0000000000400000-0x0000000000537000-memory.dmp