Malware Analysis Report

2025-08-10 18:24

Sample ID 240115-fms6tahghl
Target ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc
SHA256 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc
Tags
djvu vidar discovery persistence ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc

Threat Level: Known bad

The file ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc was found to be: Known bad.

Malicious Activity Summary

djvu vidar discovery persistence ransomware stealer

Vidar

Detect Vidar Stealer

Djvu Ransomware

Detected Djvu ransomware

Downloads MZ/PE file

Loads dropped DLL

Modifies file permissions

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Modifies system certificate store

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:59

Reported

2024-01-15 05:04

Platform

win7-20231215-en

Max time kernel

300s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8d48942f-f643-4d39-aaf0-87b2aeff60d3\\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1676 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 1676 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 1676 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 1676 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 1676 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 1676 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 1676 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 1676 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 1676 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 1676 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 1676 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 1968 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Windows\SysWOW64\icacls.exe
PID 1968 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Windows\SysWOW64\icacls.exe
PID 1968 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Windows\SysWOW64\icacls.exe
PID 1968 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Windows\SysWOW64\icacls.exe
PID 1968 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 1968 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 1968 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 1968 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 2592 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 2592 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 2592 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 2592 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 2592 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 2592 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 2592 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 2592 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 2592 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 2592 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 2592 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 2620 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
PID 2620 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
PID 2620 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
PID 2620 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
PID 2660 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
PID 2660 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
PID 2660 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
PID 2660 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
PID 2660 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
PID 2660 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
PID 2660 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
PID 2660 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
PID 2660 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
PID 2660 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
PID 2660 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
PID 2484 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2484 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2484 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2484 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe

"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe"

C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe

"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\8d48942f-f643-4d39-aaf0-87b2aeff60d3" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe

"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe

"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

"C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe"

C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

"C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 1440

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
CO 186.147.159.149:80 brusuax.com tcp
IR 2.180.10.7:80 habrafa.com tcp
IR 2.180.10.7:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp

Files

memory/1676-0-0x00000000004C0000-0x0000000000551000-memory.dmp

memory/1968-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1676-1-0x00000000004C0000-0x0000000000551000-memory.dmp

memory/1676-4-0x0000000000700000-0x000000000081B000-memory.dmp

memory/1968-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1968-8-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1676-7-0x00000000004C0000-0x0000000000551000-memory.dmp

memory/1968-9-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\8d48942f-f643-4d39-aaf0-87b2aeff60d3\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe

MD5 20a0d15b3694b4cd8dbcf2281ac08591
SHA1 47a9f1172ab951a2ed68f1fa0122d632ae2a0f66
SHA256 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc
SHA512 55e990f99031ec607dacb31dce7373111fab676336f98eef7c9a35edb1ea1e69a9e0f00dc79e77b9d7c3158ccf1632634e5884bed89222b3dee96ab4dd6f2d9d

memory/1968-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2592-28-0x0000000000270000-0x0000000000301000-memory.dmp

memory/2620-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2620-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2592-30-0x0000000000270000-0x0000000000301000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab28A6.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d17e1129fcf1b1171315281d14be9757
SHA1 373c5c39ecbe3132654b7c28640ed12091543ac7
SHA256 ffc60c52e50d3f520249c2c101afea933c13ea768416022a61c5c1d0df747950
SHA512 f53f7d52e61f054deeb33940fd5f2732883de4a0619ca62885bb9133489e7c51fe9e338ef76d06899cabb27691c8d5377bbcc9300a24437b1be96dd9bce43e20

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 fb93c6f6c919b24deaed6bbf017008cd
SHA1 f744f76c86f454676c7805af45e7209b061d25c5
SHA256 c74395f967cfe0ed9f0bad14cdb99188370186f95bdfbeae7fe716f07cec6fd9
SHA512 8333e070471a65eb23aa574be1ea4bb947e6ecdf1a14a429ddb53f8612b738446660b37e400958999704d85a4b818a4df7489776996dc2d5411e0bbe60046b6e

memory/2620-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2620-49-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 8448d3aa1248e31218217fc5a32de612
SHA1 0c043723f77683b93abf32ce1c44f1d5d1c3f421
SHA256 595225b49e46cb3188316c75f0befd0063ddc348d46fd0f1371f4517d12ea3cc
SHA512 e83a971266597a9f49a703b5d4aaa662dc3c0c4a4ba9686ad1266102620bbc5c7d1425b2c7a45e0b470af71ccb2ccf164cf2b4ac501b292ee42749abdfd8e4dd

memory/2620-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2620-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2620-54-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

MD5 0b2c3c144d8ef3d86c29c1ea2c2db875
SHA1 82e04b00f56bea4df2a0b116042c4f14d6bd7ccb
SHA256 d4e18facb6cef797b9a22e0dd6eeddadd3b08551866374dcc94ae26e559d33a1
SHA512 ad99aa3457bb7af7957a541c9a9d751685094a07673fb68c0915b3e7052328e5316be92f6115f7102b54e7891a5a034ef9cf0710abc78d89d7feabc9ce7ddda8

C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

MD5 d3ea3654914c8852f3a87180d1a2c241
SHA1 8fbceb89a466cf0d638349c4ab11049eeea92827
SHA256 a44378f382dc7d31009893e74486828819f162acf0a56f0abc145ec9d6eb5e93
SHA512 758cf04e0f35dea39a89c0975bc8c63cb38572530b24c9f1c98bfd40c620aedb9e5846567efdf6cfd8708112bcf17369417fc61bd60d5280e3f741b58e221a81

\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

MD5 4d3ada47a82a737dbd9a9672f8659366
SHA1 abd8382762eacb4430928cb814bc7f0cac536504
SHA256 4914798a45e8808b148480a5345ebd86be9cf696baf372059e52b1074549aaef
SHA512 713fa4ea0b71068ca34cddf394ce493c12d0073aba11df43ce5ae1d4234e33053f5b95bd5ad5e3d275c8b4a8ca17a83d04298db6ac0968bb85dfa34eea9b50ba

memory/2484-73-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2484-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

MD5 600baa942b0b4d4e50a6816a766751cd
SHA1 4e199b21e8aca88bb3e20d685396a3a1c5abdcc7
SHA256 ed4b2bf512c5254c272e316f620afcdad26075ea48b2c67382eda20c1b2d2e5a
SHA512 bba6f2df515162fa6b44a258f92cf96f6cdafca5d9a7967d5061300b12f9660bc093efc156b436f0c9bb59e2d7f0f0ec66dc74de2676c1e063870034a8531551

memory/2660-77-0x00000000002B0000-0x00000000002FB000-memory.dmp

memory/2484-79-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2484-78-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2660-76-0x0000000000510000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

MD5 b2808651a83ceefb3f6426029b782791
SHA1 68ed8fcdef574d26b038a5b8ac83c5b313d6405f
SHA256 43fe14f20a4b534f2a9d63701ad88a646b7ebcdb7e465789e8443fec8c7cf325
SHA512 733a39ac098d9a28203855c7876090f7d3b466760a93b18245d9fe79de1b6410a4523ab485e702e20af0be0a64680c3ed3157c874c12b3a172d6d69307517519

memory/2620-80-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

MD5 39f684a39496bea7e5fe2b862157e633
SHA1 bceee6c817276bbf6fc13c8c2e5557f9fea6ae86
SHA256 d563a779176ce0e86af4e240924a8fa45c8b9ee18ccca669a361a515f16a9c02
SHA512 3589042f766c35050bbaf5c583bfc2d590e4688482707cccc2f12115bdda17114d49dcb0b61328f27d6934860f3ca29271302260fc5d2c1c4ed712103e3eab8b

C:\Users\Admin\AppData\Local\Temp\Tar39E6.tmp

MD5 1f87e0b6221312c5aaaccb8121603088
SHA1 bb362447f7435c9e8d58c3cd5ccfc24c186f838f
SHA256 f1fb4dc3162af1f0ac16c06dfc05deb8f158ec14b6d4d2d948d43ecaa092b19f
SHA512 bb2944efffdda42f16677f5ce69037887a649c7ef3e1826e61a85db4b8cfdd53af91c9f0c6e376ffff14f4293896c1e939463b0e8b2d84d192c3ef9b46efbc0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 160af5a6533a7b64ea8cc1c1f01db434
SHA1 7cc7d309e444ffa706f8626212b98ae8eb7891e1
SHA256 ff770a582029f8821d0b0ddecbfda32a8946408bd2ca0245000e0d9497f81703
SHA512 2d979b6a4477725abeba442d6baf57a8bf4d37417a89fe352d7a7492d02e857ab5035e3c5190cfbea9543b254f5fe3df47d4c8db53f54e531a9483bff46807dd

\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

MD5 22e09e303bf210c5a1366eed0be0b294
SHA1 8579012d28b1c325facb09e50ee0f33400c98d0f
SHA256 ef828c82ba2541737e984e24f16ab37b68810ccd90c836cf18d74e4a90417c7d
SHA512 9d5aec3a9787b019191e700366aed9ed6d48a01868ec6588a6b64759b84fd96523a48f5a2eff723cdcee0096c40ea0f2f6d9bc2a67aa559f11cf2928317b3570

\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

MD5 19328a290f3992a5f63b0bef89218be4
SHA1 5b798f9014af5404f66a9c6022e9a488c1cf4fa6
SHA256 2d0e2ea31bef90b5c6c83d5256ab4692a91c6342cc98e2b2f1d0a7f22658cecc
SHA512 f02899e8bf27f1265a067b0f9737c4476a6f49331f3be832f63cd396e730eca7c3e30eec39cd293641db5a05b89f8980e5e3eac79bad246e5537c97a3eceb044

\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

MD5 1f932ddda236e15e47b0bbdfc3afcc71
SHA1 4ae50e69606ad10156dc1c73fcadafcc03373a7e
SHA256 3217b1922a79d11579e159aa5557f230ba70803bce304f8d227b3b93d32d06fb
SHA512 2458e6ae673749c516bff2d83da47c9d0f5c4a50a2fe6bfaa0d7c9696fca5d72bdc22a9103d172237b651bb451d01cc5def1781bb80a33257a708ec1a3565ff2

\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

MD5 0ee21651770797e46547373020237d66
SHA1 ad50062605bb70be6b1c54a97bd74b958dfe9c30
SHA256 87dfdd019f35d2150e54a4f8381edeef3d1c7ff2c35cbf7becf84e8d073c18c5
SHA512 1f35aac8018d00fc9c9acec267c15ebc38e1182622655747a4384204a5f53764984953961ff9f67269f97cf950411d655aff54b82178bba67d04ba545e15e337

memory/2484-201-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2620-208-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:59

Reported

2024-01-15 05:05

Platform

win10-20231215-en

Max time kernel

299s

Max time network

303s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c30fe274-c02d-44db-a034-09b6b32042e4\\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4372 set thread context of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4480 set thread context of 4360 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 2540 set thread context of 3960 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe
PID 3944 set thread context of 3044 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe
PID 4416 set thread context of 2744 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 5044 set thread context of 4704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3348 set thread context of 2540 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1260 set thread context of 1672 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4372 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4372 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4372 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4372 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4372 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4372 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4372 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4372 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4372 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4372 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 2848 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Windows\SysWOW64\icacls.exe
PID 2848 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Windows\SysWOW64\icacls.exe
PID 2848 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Windows\SysWOW64\icacls.exe
PID 2848 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 2848 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 2848 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4480 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4480 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4480 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4480 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4480 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4480 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4480 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4480 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4480 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4480 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
PID 4360 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe
PID 4360 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe
PID 4360 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe
PID 2540 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe
PID 2540 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe
PID 2540 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe
PID 2540 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe
PID 2540 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe
PID 2540 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe
PID 2540 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe
PID 2540 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe
PID 2540 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe
PID 2540 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe
PID 4360 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe
PID 4360 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe
PID 4360 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe
PID 3944 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe
PID 3944 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe
PID 3944 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe
PID 3944 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe
PID 3944 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe
PID 3944 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe
PID 3944 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe
PID 3944 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe
PID 3944 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe
PID 3044 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 3044 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 3044 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 4416 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4416 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4416 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4416 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4416 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4416 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4416 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4416 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4416 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2744 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe

"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe"

C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe

"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c30fe274-c02d-44db-a034-09b6b32042e4" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe

"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe

"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe

"C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe"

C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe

"C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 772

C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe

"C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe

"C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
AR 186.13.17.220:80 habrafa.com tcp
AR 186.182.55.44:80 habrafa.com tcp
US 8.8.8.8:53 220.17.13.186.in-addr.arpa udp
US 8.8.8.8:53 44.55.182.186.in-addr.arpa udp
AR 186.13.17.220:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 196.0.202.116.in-addr.arpa udp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

memory/4372-3-0x00000000021F0000-0x000000000230B000-memory.dmp

memory/2848-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-2-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4372-1-0x00000000020D0000-0x0000000002168000-memory.dmp

C:\Users\Admin\AppData\Local\c30fe274-c02d-44db-a034-09b6b32042e4\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe

MD5 809dc9c06f88c3d380cd0c1855311d9e
SHA1 e31e50c75315d7bebad2f458aa44880c0ac5dec1
SHA256 e914ba740c350751f14369efba5aa443de686622e689077ac9e65d71b86a9d70
SHA512 92ef1a17da678da7bce1c0539c7285ba9b313ee49642b6a017921eb284997a00171f5f1baefcf718492cd73d6570f694fe696c3257166158a3b5c05c3f0b127d

memory/2848-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4360-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4360-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4360-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4480-21-0x0000000000530000-0x00000000005C7000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 e02ee8746d32cbf60121c161f57ce78b
SHA1 e9b09408f286959c4afd76a9999295e7397e3e2a
SHA256 0aba5c7abde9c89c2149521946c84253c23e39895c21271598c330cfbdbcbc63
SHA512 51510fffaf31339ccd6f8470d209cfbb902c07e0ceb76b10852170acdaa4805d4a2627d1132d78402c4a1ffff354a2c9f4679fced86323bc9ec6c0dc8190a88f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 bc441289c02b7763a032a062415e2d0a
SHA1 333601fdb789412029e0b59d50a5b6a1ae192f7a
SHA256 3d2de6db8f8e290d25e819046bbfa43bb87adff812e232dfb6e62c8279be1879
SHA512 843ebc5f58dc7fecf209633a7c13af2c69e1771431ae7b13897603b0853c9e2185a2b1ae4516dd571d50c28cc3e6bb9c3da03ef19e25803ff69c9a5b6ef352c3

memory/4360-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4360-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4360-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4360-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4360-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4360-38-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe

MD5 85ba587c06ec82f09b3cf644e12b64de
SHA1 b63a09ca72401bd505823df8e0579b605838ea0b
SHA256 2672abbfcb957d362b31d8738901a4dfb0d98a7e0c5cbe46740dd5954a0d930f
SHA512 3bef5da14017a142d8574ef1699410a1ac56ae27edcb1dc03464fe3334cd183028d5e7b8135fae55b2040a074df7df3f6c78b0320e26ffb594a5e9b6bedc1f68

C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe

MD5 91a99112f06b75248ce528005600a08c
SHA1 8df0504af54f9dbfad9a983e8bef5ef9f03d0dcc
SHA256 be5a0df20e70cefdf592a5255c1f881e7daa98b8cfc7c851d4a38254150260d0
SHA512 02abfcc0f51ec22dcfc6b82121dac4c5ef6e35f441fcf8d6ed642f36332d973293f34391ffbeda93a34e2b4cbf45124cf7ac6c27fe9a719f14d7efd35f8e182c

memory/3960-53-0x0000000000400000-0x000000000065E000-memory.dmp

memory/3960-54-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe

MD5 5f93e96277bcd90fcce5d874629be7d0
SHA1 b463dbdb14ba6e6969fcb0469447687789869cce
SHA256 9a7d8bbbae7c09987ab35c433432411213b3094ca32d4c4e9d9bf8e2e4a8fbe9
SHA512 632dad65caffd039fd8864ca832034887ff91bbc9396c7e2af4599cbf8697f2284682de217616cdcdc8070a41f00209dbb969e4d82c98b170366a40432f8cf65

memory/2540-50-0x00000000006C0000-0x000000000070B000-memory.dmp

memory/2540-49-0x0000000000790000-0x0000000000890000-memory.dmp

memory/3960-48-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe

MD5 45251d81e6c0caec040203985cde7b44
SHA1 163a40f0392db4fa731d49731d28debe84c7e848
SHA256 190e6ea28b58c0ad6e119bff026594692b23a21e170c918f222a4de2eba3bb71
SHA512 e920b64b8401e363b53adc537263772480845b227375205b0f8ed6ec48ac4ca51acb39af12e7d22626dd9eb83d2c9463f40cdc610fdeac3673665d7223147254

C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe

MD5 4282cb787bc1ea23523430ad8967c67c
SHA1 36a91398a902a63b80ed0a3e6258c49eb6150dbb
SHA256 de528f41e5aa2d028e61e4cee62e694892d252c375348793d6572538bf465cb7
SHA512 76c35a3d162708c4b207259c5188c319ec2922474fec191a82298299c6dda5003ecccf274a29826c6e67c136081e767d92811a3f084fd7c3a82e1892a92985e3

memory/4360-65-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3960-67-0x0000000000400000-0x000000000065E000-memory.dmp

memory/3044-76-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 899bfc0d52cc0a46893999f4d383140a
SHA1 a3d02de16f221d6ba3c8b21e1baa90c604b39933
SHA256 0e22a90d73c50187cc0e4c2106d9c88e72dd371aa934ded01a69c1356a4693e0
SHA512 73889078ef07f486618b8cfc26213140c2dfacb3d5b07ac514a4e2732ed880272b026a4af7e7fe0a18fda706d95f217cb4185f60ec2f7fba2068c85f0bcd9d4d

memory/3044-74-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3944-73-0x0000000000950000-0x0000000000954000-memory.dmp

memory/3944-72-0x0000000000850000-0x0000000000950000-memory.dmp

C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe

MD5 8e43e2aa8bf102b656bf0100b841e9e2
SHA1 2ca2c1f0289e91610f759d284a2cac037c4b172a
SHA256 645a972a88bc249e79e40ab8f5a815e8ee0bc8c5393ebbdb9d0df8a3f80f6c3b
SHA512 55497f1b3aecea1266d2c19688ac5340536f43bec977da8e887937c5693eaec7784596a2e0d1916f95b4161bb460430e9358e7cc594392c2d2a418358fd89138

memory/3044-69-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 27ccd42c218818e0b18f27ac8bd0d066
SHA1 cc0f0679200936893bcdea3bba4081b57fc2fc0e
SHA256 176159b75273018d491e98633e5ed4233924cdbcc9d22d0dc32e87ec72fa8eea
SHA512 a0f00b894e36eca41bf2f79de1ee7adec9d0591be4902de51046915a66235b3067e27a8974587395f5bfa69ae9e17778c9d4ccd897848030b5983dfc6ee2b92b

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 0af6621a736a6bdad2955a49d0764fc6
SHA1 7bc4487d8c19caef8a95fc53d1e3d154b5ed20ad
SHA256 5b0550bb588155654be23cf82716fa4d94e79466106aeeb818e0509fa849dd66
SHA512 317d98f34fbb8ccfe550775a3112d4375a97ae13d84299494ad762e2fa0e4659d9f92baa1f2b171e1a97762b022842d6c3a444444b89d4cf2155c50cdf1c5f69

memory/4416-95-0x00000000008B0000-0x00000000009B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 b72509b1eec38b6c493c6814f296eb0d
SHA1 c9988cda365e34712ce1627024336a711c7d9bc2
SHA256 b0302ae30b1e3c6370ef4b748df79a4109413dbf446b41d5254911b526223781
SHA512 7f19dad7bfc4ebd472316124c09df4923a4ecb3a5bc6a8aa50e3bcba50f5c4e0037d2e40908c693d064889a2f7b0808df848e0fb0f976fbffac2fbd328d6750c

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/5044-119-0x0000000000ABE000-0x0000000000ACE000-memory.dmp

memory/4704-122-0x0000000000410000-0x00000000004D5000-memory.dmp

memory/3348-143-0x0000000000840000-0x0000000000940000-memory.dmp

memory/1260-169-0x00000000008C0000-0x00000000009C0000-memory.dmp