Malware Analysis Report

2025-08-10 18:25

Sample ID 240115-flacbaagb9
Target c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6
SHA256 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6
Tags
djvu vidar discovery persistence ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6

Threat Level: Known bad

The file c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6 was found to be: Known bad.

Malicious Activity Summary

djvu vidar discovery persistence ransomware stealer

Vidar

Djvu Ransomware

Detected Djvu ransomware

Detect Vidar Stealer

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Modifies file permissions

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:57

Reported

2024-01-15 05:02

Platform

win7-20231215-en

Max time kernel

295s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c9694d6b-38b7-4597-9328-f327c57c0aa4\\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2552 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2552 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2552 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2552 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2552 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2552 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2552 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2552 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2552 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2552 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 1888 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Windows\SysWOW64\icacls.exe
PID 1888 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Windows\SysWOW64\icacls.exe
PID 1888 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Windows\SysWOW64\icacls.exe
PID 1888 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Windows\SysWOW64\icacls.exe
PID 1888 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 1888 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 1888 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 1888 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2720 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2720 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2720 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2720 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2720 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2720 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2720 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2720 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2720 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2720 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 2720 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 1356 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
PID 1356 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
PID 1356 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
PID 1356 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
PID 2084 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
PID 2084 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
PID 2084 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
PID 2084 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
PID 2084 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
PID 2084 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
PID 2084 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
PID 2084 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
PID 2084 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
PID 2084 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
PID 2084 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
PID 2112 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2112 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2112 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2112 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe

"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"

C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe

"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c9694d6b-38b7-4597-9328-f327c57c0aa4" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe

"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe

"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe

"C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe"

C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe

"C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 1440

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 zexeq.com udp
BG 95.158.162.200:80 zexeq.com tcp
MX 187.211.34.211:80 brusuax.com tcp
BG 95.158.162.200:80 zexeq.com tcp
BG 95.158.162.200:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
BG 95.158.162.200:80 zexeq.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
BG 95.158.162.200:80 zexeq.com tcp

Files

memory/2552-0-0x0000000000270000-0x0000000000301000-memory.dmp

memory/2552-1-0x0000000000270000-0x0000000000301000-memory.dmp

memory/1888-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1888-8-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1888-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2552-3-0x00000000008F0000-0x0000000000A0B000-memory.dmp

memory/1888-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\c9694d6b-38b7-4597-9328-f327c57c0aa4\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe

MD5 38fac68cda54410b4e04271adfb5f905
SHA1 7b859379d5cf75ea6f7ce28a548e98bc092b7777
SHA256 7953af02b394cf7ad1fac3202df4ef47ad3397c51123799fa0be9ddb08e16133
SHA512 288ffd48dc72442ba5ae2132dd9afb7717b3352275f3c4ad24edbb81a3e62047c9d6c568e1308cd99a7705252d2ceee0d2d2cc0641fe87ee46f5b3050543aee0

memory/1888-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2720-27-0x00000000002A0000-0x0000000000331000-memory.dmp

memory/2720-37-0x00000000002A0000-0x0000000000331000-memory.dmp

memory/1356-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1356-122-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4940.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89a0c1c21f3bd545e158879bed7a8228
SHA1 4b38d02bdfc1574f36afa41531c55529df763d04
SHA256 5f694dfef7674a2a7194f6016f653fef5d581ee6b8636464aee4e8ba48132e42
SHA512 ac075d58748b91fda370c5c79451bb5fb691fa09f56e337675b19fa3329e1045f76c6cac3f28fcc81f41cc640e1154c615149abab650bcfb8f31a1628ce33f8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 616ef8e533eec916885308024aafe48e
SHA1 5f42dfe598f6b6ee1a31839bbbc9c028b7d2ff6c
SHA256 0c6c1253ddd7bae0ef012920f88c4150c21443464f8fa8078504b0ad6d2f2e22
SHA512 daa96bc706990b6fd96242d15455647a0315c5f4ffd407682938ec504b984ae43ee88007f3ea5600633434518830572b1e9e2fd853b0b1ff3e69f98861ecf5c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 f31d5c5bf9375633b9286d0d5b375458
SHA1 c3b7d745f792350a47ff412f51047e2700e6c6b4
SHA256 92d3e1b18d3d584ee0078f0f533358b2268a5365a3303c0d8f7a3b188981070e
SHA512 4c1642dec922a60510f192be1da86d3e362d24ee059c83a18d3d8b87d4ef34ac68a03f803df435501067e1ab6f5a49294ac32c8961b7181f568dd6a2c4fa83c7

memory/1356-135-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1356-136-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe

MD5 33b11b6a7a2afb431ede5d36f06940c6
SHA1 5e06682e4644f1ff858297d1b023bc3f3be44c2f
SHA256 af8b4702af58b11b4d4935bd60064c23d020b0a24bfc3b8ed7fb9f318d530da6
SHA512 bb73b026b3e17f8de30eaa272115f8edc59e48834b53a762a121e038d8cb71743f98a879c95ae9dd4b38fcae24e8469e1beadb28d45893d281a52ec34dc6ff78

C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe

MD5 55a7daea46e293fa9bf4c1e243bcf405
SHA1 99061832836e646cc5c58025ca6de08c985ac68c
SHA256 6c74c9fe6046767d60df451ab627ee488111eaa82bab035daad1d90d6d41ce1e
SHA512 a51f47a77f13d59d0f5f83c6f607a550000b7693821b48a41a1412147a9aa5a837d712e78ec96f5f7d185c2772eb7241bc42624a0acc5ac89d7d15d722060f3a

\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe

MD5 c4070da9f9b0581171af16e681ccdff8
SHA1 3fb4182921fdc3acd7873ebe113ac5522585312a
SHA256 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512 c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427

memory/2084-157-0x00000000003A0000-0x00000000003EB000-memory.dmp

memory/2112-159-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2112-158-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1356-156-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2084-155-0x00000000002E0000-0x0000000000307000-memory.dmp

C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe

MD5 95fa82818b09faaf29e49db216e67b59
SHA1 2e827e2694ab73733f2fa23a846b186c23124ac5
SHA256 bdeaa1fa185fac8563112c99f98a9e178224fb03c590cb93cfa31cfcf174850f
SHA512 dbc8803bccfd39e4d26c93c30002cae1f698cb7c1e3b7d601f9d8d72ec15719ad350feb3ee37d67de2852005cd2a46c6d117f35484ed4e21b8f88e64c64ff0fd

memory/2112-152-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2112-150-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe

MD5 27dd517ce59cb2d294cf664d9e7cbe50
SHA1 a35d64c2b10326bdd5b9ec103669edf60e82d0ca
SHA256 2e7f5d862172e2ade52a1a0077b068e43735d40a30c6ff293168c055910c9b1a
SHA512 5a32465d8818e97174dfe36de6ebff60eff2fd66ccab93346649ed413b0890cd38b90d6bbc0a792a60a1f92711fea0270205db765fce4992282fc3830fad2356

C:\Users\Admin\AppData\Local\Temp\Tar676B.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9423b96985768570a95246bb08952e28
SHA1 3ce52f0dff9e71dd0722e4b51531175fc6c73268
SHA256 d631f9f346af6b6d6e07a0f599e20fe177174a8c2944d01f0291453adcd05c82
SHA512 3a0a948c61a1e3983f1f61190c467289b770a40d9fa415b05d87061d737483513c5a6fa66d8f1445ddfa73b3c79cd9f5b525ee2cce371362eb624bbe51ba0069

\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe

MD5 a2627830af7d1ff75c7606461de62601
SHA1 ded6c1393484fdb2cb76f54c3cba8ff9f59dbadd
SHA256 8732609ee2c59b5ae851f97bf434c8a1e15b2bbb9c18fb433ad6e55c05e411c2
SHA512 863d01021e23ace70726f507768aa3cee013fb28d29b7bb79743f0580351013f925f25cc27fec23f7755111fdb8469b76a33e8fb9cda981e1b556e89fca38baa

\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe

MD5 ff63e9b7a52eab1cd039bfe4072a8216
SHA1 1b1ba9bbedcbeecaece8629e6a4e15c6b38122ad
SHA256 ce37a41e7ecbc5f7f59488d679fc13a780d64bfb2e84c6da0d6782a9940d45b2
SHA512 45cb1d90d2bdf258d1b49109985282fb736ba3805e24efcba2ee71c8d1a1f9ecbac43a25ad9c29d8b233f1689b5a863776fe1cce28960d55450fe2e200c155be

\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe

MD5 0431cb8e36a74e4b0378bc97069e7ae1
SHA1 00d90d43700e3c072dabaacb511f0f57ec2df4ce
SHA256 2daf1caa0302954352b04b81f66dea0e2f9e1eb566e0b1ac67b877df6cc765e5
SHA512 d85609624ca9d75a6b618e774dd6fe83cfcd96644d1019d1eb50bf71b799bcc5e619502dcb2257729a70a5c0fcd81fd3533c877b63dcf8512c9a8702789640b7

\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe

MD5 0a2b1a7792cddc54139263be91b9f83a
SHA1 aa7f0c411e778a3e0ddcdd9299b3a198a33f4e74
SHA256 2657b81283e43270700463ed49206c7e3b7499e4ae2b2a02ce9aade496037a03
SHA512 d5bb6ad68f1ccb7815861ef32f307cb54555d18309d8638066fdd1cf7fbc18545b69477a4aa6f0d845a18e77d459908e4a916eb1686b12d3e05020b9be3db3bd

memory/2112-280-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1356-282-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1356-284-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1356-285-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1356-286-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:57

Reported

2024-01-15 05:02

Platform

win10-20231220-en

Max time kernel

15s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\416d2e1d-2dd6-4f3a-b064-310d6b5ad152\\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4552 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 4552 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 4552 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 4552 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 4552 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 4552 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 4552 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 4552 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 4552 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 4552 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 1600 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Windows\SysWOW64\icacls.exe
PID 1600 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Windows\SysWOW64\icacls.exe
PID 1600 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Windows\SysWOW64\icacls.exe
PID 1600 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 1600 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 1600 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 4580 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 4580 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 4580 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 4580 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 4580 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 4580 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 4580 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 4580 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 4580 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
PID 4580 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe

"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"

C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe

"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"

C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe

"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\416d2e1d-2dd6-4f3a-b064-310d6b5ad152" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe

"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\2c5f7717-a7ff-4232-861e-a2ccff4a23d9\build2.exe

"C:\Users\Admin\AppData\Local\2c5f7717-a7ff-4232-861e-a2ccff4a23d9\build2.exe"

C:\Users\Admin\AppData\Local\2c5f7717-a7ff-4232-861e-a2ccff4a23d9\build2.exe

"C:\Users\Admin\AppData\Local\2c5f7717-a7ff-4232-861e-a2ccff4a23d9\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 2072

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 zexeq.com udp
BA 109.175.29.39:80 zexeq.com tcp
KR 211.168.53.110:80 zexeq.com tcp
US 8.8.8.8:53 39.29.175.109.in-addr.arpa udp
US 8.8.8.8:53 110.53.168.211.in-addr.arpa udp
KR 211.168.53.110:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
KR 211.168.53.110:80 zexeq.com tcp
DE 116.202.0.196:10220 tcp
US 8.8.8.8:53 196.0.202.116.in-addr.arpa udp
KR 211.168.53.110:80 zexeq.com tcp
DE 116.202.0.196:10220 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
DE 116.202.0.196:10220 tcp
DE 116.202.0.196:10220 tcp
KR 211.168.53.110:80 zexeq.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
GB 88.221.134.96:80 tcp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/1600-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4552-4-0x00000000026E0000-0x00000000027FB000-memory.dmp

memory/1600-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4552-3-0x0000000000960000-0x00000000009FD000-memory.dmp

memory/1600-2-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1600-1-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\416d2e1d-2dd6-4f3a-b064-310d6b5ad152\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe

MD5 7ad2b9fe5d3b3c6b25b8adfce09a8547
SHA1 0d1891de86c3bd57d216cb993c76cc78c2cd16d0
SHA256 cca8b742fdb16caf328bf0d64f3435cd6667be81674a7b57dcff3a698216f241
SHA512 9c4eae9e071e2749f1d1e98dfd77d52f9a5c7539adaa88fc3414bf4ac2ebf8882afb3d579918f9ad53987e9732b4f54691668d6c674207fa6f04d5eb3286a735

memory/1600-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3132-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3132-23-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 727949379799fb879b4c82c031241521
SHA1 360abc1f5fa0a70c31ebaeb3624a8b198a654455
SHA256 10f43335c548539b9b0bc6bf5be1b4b6f02aaf9b32e750164c19375a3b959868
SHA512 6d918e020b45f984ba219bc37ac93a157d5d3fd6c882a967980d4f0f89fbce5d33307d872296571582fd61c256bfa93f6c254a1e71c551062773efd0fa97d628

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 44605ce8ca6de0ade71ba7cede3721a3
SHA1 3b6eb8dcb9754f67f491bf1824bba0ac166a2e00
SHA256 9fda12ec055361c8627ea1c395e56f0a1c565644b092246f7185f512e74deaa8
SHA512 d1d340c613dd2f4c596afec129e5bbfc8969dd6a2a09f5bc6bc5ab97682c7beea1ff2f2294d4cd9da6aaa604e56158a448c1bbfcec29d276078cec303093df39

memory/3132-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4580-21-0x0000000000AF0000-0x0000000000B8B000-memory.dmp

memory/3132-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3132-29-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\2c5f7717-a7ff-4232-861e-a2ccff4a23d9\build2.exe

MD5 ef97a1d33f5e22143e60ed22bb1251fa
SHA1 c484a23ab9f0a7d1c28440901e880f3a461db4e6
SHA256 14e7bbac54197a297bc2820c9192dc7e6bfe04bf79a6546e2f5abd81a97d4ad3
SHA512 cecbf2f17366920a2cd92c138b789f4be18f9c80d161f66ff2af37cc7de49c2764b7a4e8dd99abe593de93272c40bf9768f7f338b54ac4134817227473bf04a7

memory/96-43-0x00000000007F0000-0x000000000083B000-memory.dmp

memory/3748-45-0x0000000000400000-0x000000000065E000-memory.dmp

memory/3748-44-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\2c5f7717-a7ff-4232-861e-a2ccff4a23d9\build2.exe

MD5 fe01c85761f73499aad7b52653767efc
SHA1 994ce5a6898ccefbfe7d3cdd21e7b044b98a47ae
SHA256 caf7e3d57333c9367bcbeee6fa78a6dbd5ea796f138c9b384a96940de47fdee2
SHA512 9af67eeffc27cd1e54740db15101caecfdc5067b78a17865a3bb9ef38e5ce4d8275ab15a3be81788477e05684a28366ffb7bac513af840893741c20813ccc90d

memory/96-40-0x00000000005B0000-0x00000000006B0000-memory.dmp

memory/3748-39-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\2c5f7717-a7ff-4232-861e-a2ccff4a23d9\build2.exe

MD5 8f24045b0e4ba4a126d902d9ebe0dfe2
SHA1 b4aa49d53b81a8b3a1f771d1b6c2bb9c0aa454c9
SHA256 a8684e5117c2ed30f5cf10c3cd443f2ef68a8a186e35a819fb476a855f5c4737
SHA512 2b87a8d584a6a309c6bcc3f59320c86aca83d8c42831138750856f7aae0c92e81266af699e3c39133f95846a256d1e0032a7b5bb25465077293a12ae746d88b0

memory/3132-46-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4552-47-0x00000000026E0000-0x00000000027FB000-memory.dmp

memory/3748-52-0x0000000000400000-0x000000000065E000-memory.dmp

memory/3132-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3132-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3132-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3132-59-0x0000000000400000-0x0000000000537000-memory.dmp