djvu | 59d0891001fbd6107176eabf298e6247ebb7c9da90e2e31c342d3333e50679c9

Analysis

max time kernel
131s
max time network
153s
platform
windows7_x64
resource
win7-en-20210920
submitted
22-10-2021 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b91bf136ea911e84d372e78222f2a54.exe
Size

804KB
MD5

1b91bf136ea911e84d372e78222f2a54
SHA1

58813bc4c7e6a160c127b8f222042f88fb470126
SHA256

59d0891001fbd6107176eabf298e6247ebb7c9da90e2e31c342d3333e50679c9
SHA512

9774e559ceb5ae1e6ec46ec1cc7e40c18f42837d741bd7e761b1c88c880e50507393114f3094b35888055557de88bc5a42d55f32dc19b88fda02024dbd80729e

Score

10^/10

djvu vidar 517 discovery persistence ransomware stealer

Malware Config

Extracted

Family

vidar

Version

41.5

Botnet

517

https://mas.to/@xeroxxx

Attributes

profile_id
517

Extracted

Family

djvu

http://rlrz.org/lancer

Signatures

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/960-55-0x0000000000B10000-0x0000000000C2B000-memory.dmp	family_djvu
behavioral1/memory/552-57-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/552-56-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/552-59-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1556-65-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1556-73-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1172-87-0x0000000004790000-0x0000000004866000-memory.dmp	family_vidar
behavioral1/memory/1292-88-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar
behavioral1/memory/1292-84-0x00000000004A18CD-mapping.dmp	family_vidar
behavioral1/memory/1292-83-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid process

1172 build2.exe
1292 build2.exe
1396 build3.exe
1720 build3.exe
1532 mstsca.exe
664 mstsca.exe
936 mstsca.exe
748 mstsca.exe

pid	process
1172	build2.exe
1292	build2.exe
1396	build3.exe
1720	build3.exe
1532	mstsca.exe
664	mstsca.exe
936	mstsca.exe
748	mstsca.exe

Loads dropped DLL 11 IoCs

Processes:

1b91bf136ea911e84d372e78222f2a54.exeWerFault.exe

pid	process
1556	1b91bf136ea911e84d372e78222f2a54.exe
1556	1b91bf136ea911e84d372e78222f2a54.exe
1556	1b91bf136ea911e84d372e78222f2a54.exe
1556	1b91bf136ea911e84d372e78222f2a54.exe
392	WerFault.exe
392	WerFault.exe
392	WerFault.exe
392	WerFault.exe
392	WerFault.exe
392	WerFault.exe
392	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1800 icacls.exe

pid	process
1800	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1b91bf136ea911e84d372e78222f2a54.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b97572ef-dc46-4843-8588-80fb143620cd\\1b91bf136ea911e84d372e78222f2a54.exe\" --AutoStart"	1b91bf136ea911e84d372e78222f2a54.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.2ip.ua
5 api.2ip.ua
13 api.2ip.ua

flow	ioc
4	api.2ip.ua
5	api.2ip.ua
13	api.2ip.ua

Suspicious use of SetThreadContext 6 IoCs

Processes:

1b91bf136ea911e84d372e78222f2a54.exe1b91bf136ea911e84d372e78222f2a54.exebuild2.exebuild3.exemstsca.exemstsca.exe

description	pid	process	target process
PID 960 set thread context of 552	960	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 1304 set thread context of 1556	1304	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 1172 set thread context of 1292	1172	build2.exe	build2.exe
PID 1396 set thread context of 1720	1396	build3.exe	build3.exe
PID 1532 set thread context of 664	1532	mstsca.exe	mstsca.exe
PID 936 set thread context of 748	936	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

392 1292 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1156 schtasks.exe
1484 schtasks.exe

pid	pid_target	process	target process
392	1292	WerFault.exe	build2.exe

pid	process
1156	schtasks.exe
1484	schtasks.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

1b91bf136ea911e84d372e78222f2a54.exe1b91bf136ea911e84d372e78222f2a54.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1b91bf136ea911e84d372e78222f2a54.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1b91bf136ea911e84d372e78222f2a54.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1b91bf136ea911e84d372e78222f2a54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1b91bf136ea911e84d372e78222f2a54.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1b91bf136ea911e84d372e78222f2a54.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

1b91bf136ea911e84d372e78222f2a54.exe1b91bf136ea911e84d372e78222f2a54.exeWerFault.exe

pid	process
552	1b91bf136ea911e84d372e78222f2a54.exe
552	1b91bf136ea911e84d372e78222f2a54.exe
1556	1b91bf136ea911e84d372e78222f2a54.exe
1556	1b91bf136ea911e84d372e78222f2a54.exe
392	WerFault.exe
392	WerFault.exe
392	WerFault.exe
392	WerFault.exe
392	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

392 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 392 WerFault.exe

pid	process
392	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	392	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1b91bf136ea911e84d372e78222f2a54.exe1b91bf136ea911e84d372e78222f2a54.exe1b91bf136ea911e84d372e78222f2a54.exe1b91bf136ea911e84d372e78222f2a54.exebuild2.exebuild3.exebuild3.exebuild2.exe

description	pid	process	target process
PID 960 wrote to memory of 552	960	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 960 wrote to memory of 552	960	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 960 wrote to memory of 552	960	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 960 wrote to memory of 552	960	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 960 wrote to memory of 552	960	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 960 wrote to memory of 552	960	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 960 wrote to memory of 552	960	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 960 wrote to memory of 552	960	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 960 wrote to memory of 552	960	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 960 wrote to memory of 552	960	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 960 wrote to memory of 552	960	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 552 wrote to memory of 1800	552	1b91bf136ea911e84d372e78222f2a54.exe	icacls.exe
PID 552 wrote to memory of 1800	552	1b91bf136ea911e84d372e78222f2a54.exe	icacls.exe
PID 552 wrote to memory of 1800	552	1b91bf136ea911e84d372e78222f2a54.exe	icacls.exe
PID 552 wrote to memory of 1800	552	1b91bf136ea911e84d372e78222f2a54.exe	icacls.exe
PID 552 wrote to memory of 1304	552	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 552 wrote to memory of 1304	552	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 552 wrote to memory of 1304	552	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 552 wrote to memory of 1304	552	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 1304 wrote to memory of 1556	1304	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 1304 wrote to memory of 1556	1304	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 1304 wrote to memory of 1556	1304	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 1304 wrote to memory of 1556	1304	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 1304 wrote to memory of 1556	1304	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 1304 wrote to memory of 1556	1304	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 1304 wrote to memory of 1556	1304	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 1304 wrote to memory of 1556	1304	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 1304 wrote to memory of 1556	1304	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 1304 wrote to memory of 1556	1304	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 1304 wrote to memory of 1556	1304	1b91bf136ea911e84d372e78222f2a54.exe	1b91bf136ea911e84d372e78222f2a54.exe
PID 1556 wrote to memory of 1172	1556	1b91bf136ea911e84d372e78222f2a54.exe	build2.exe
PID 1556 wrote to memory of 1172	1556	1b91bf136ea911e84d372e78222f2a54.exe	build2.exe
PID 1556 wrote to memory of 1172	1556	1b91bf136ea911e84d372e78222f2a54.exe	build2.exe
PID 1556 wrote to memory of 1172	1556	1b91bf136ea911e84d372e78222f2a54.exe	build2.exe
PID 1556 wrote to memory of 1396	1556	1b91bf136ea911e84d372e78222f2a54.exe	build3.exe
PID 1556 wrote to memory of 1396	1556	1b91bf136ea911e84d372e78222f2a54.exe	build3.exe
PID 1556 wrote to memory of 1396	1556	1b91bf136ea911e84d372e78222f2a54.exe	build3.exe
PID 1556 wrote to memory of 1396	1556	1b91bf136ea911e84d372e78222f2a54.exe	build3.exe
PID 1172 wrote to memory of 1292	1172	build2.exe	build2.exe
PID 1172 wrote to memory of 1292	1172	build2.exe	build2.exe
PID 1172 wrote to memory of 1292	1172	build2.exe	build2.exe
PID 1172 wrote to memory of 1292	1172	build2.exe	build2.exe
PID 1172 wrote to memory of 1292	1172	build2.exe	build2.exe
PID 1172 wrote to memory of 1292	1172	build2.exe	build2.exe
PID 1172 wrote to memory of 1292	1172	build2.exe	build2.exe
PID 1172 wrote to memory of 1292	1172	build2.exe	build2.exe
PID 1172 wrote to memory of 1292	1172	build2.exe	build2.exe
PID 1396 wrote to memory of 1720	1396	build3.exe	build3.exe
PID 1396 wrote to memory of 1720	1396	build3.exe	build3.exe
PID 1396 wrote to memory of 1720	1396	build3.exe	build3.exe
PID 1396 wrote to memory of 1720	1396	build3.exe	build3.exe
PID 1396 wrote to memory of 1720	1396	build3.exe	build3.exe
PID 1396 wrote to memory of 1720	1396	build3.exe	build3.exe
PID 1396 wrote to memory of 1720	1396	build3.exe	build3.exe
PID 1396 wrote to memory of 1720	1396	build3.exe	build3.exe
PID 1396 wrote to memory of 1720	1396	build3.exe	build3.exe
PID 1396 wrote to memory of 1720	1396	build3.exe	build3.exe
PID 1720 wrote to memory of 1156	1720	build3.exe	schtasks.exe
PID 1720 wrote to memory of 1156	1720	build3.exe	schtasks.exe
PID 1720 wrote to memory of 1156	1720	build3.exe	schtasks.exe
PID 1720 wrote to memory of 1156	1720	build3.exe	schtasks.exe
PID 1292 wrote to memory of 392	1292	build2.exe	WerFault.exe
PID 1292 wrote to memory of 392	1292	build2.exe	WerFault.exe
PID 1292 wrote to memory of 392	1292	build2.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\1b91bf136ea911e84d372e78222f2a54.exe
"C:\Users\Admin\AppData\Local\Temp\1b91bf136ea911e84d372e78222f2a54.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\1b91bf136ea911e84d372e78222f2a54.exe
"C:\Users\Admin\AppData\Local\Temp\1b91bf136ea911e84d372e78222f2a54.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\b97572ef-dc46-4843-8588-80fb143620cd" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1800

C:\Users\Admin\AppData\Local\Temp\1b91bf136ea911e84d372e78222f2a54.exe
"C:\Users\Admin\AppData\Local\Temp\1b91bf136ea911e84d372e78222f2a54.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\1b91bf136ea911e84d372e78222f2a54.exe
"C:\Users\Admin\AppData\Local\Temp\1b91bf136ea911e84d372e78222f2a54.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build2.exe
"C:\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build2.exe
"C:\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build2.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 892
7⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build3.exe
"C:\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build3.exe
"C:\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\taskeng.exe
taskeng.exe {4933882A-920F-4B61-950B-8816B1D1E7D8} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:1812

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1532

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:664

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- Creates scheduled task(s)
PID:1484

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:936

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
50d9d5311b74576fbbb5c9f204fdc16b

SHA1
7dd97b713e33f287440441aa3bb7966a2cb68321

SHA256
d76a71e8dfd6961d4912a23b2fd207f2a93c67523dfcda252358eafa5821b2ad

SHA512
67d02ce79bb8fd641783ba12ab5587900a03416627939084ce87f22b42ca7d50765947e2238b3c6a70a74bce3c9233b486aaa10feb57e714646e4d02c0c926c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
8f19b97ffda28eb06efc2181fd126b9c

SHA1
142443021d6ffaf32d3d60635d0edf540a039f2e

SHA256
49607d1b931a79642c5268292b4f16f2db7ec77b53f8abddbc0cce36ed88e3f7

SHA512
6577704c531cc07d1ae8d61dfe6d8735d29d1386038fa9e3f5580c80c30dc04570ec0160f51903d05b180c4af68f0eb8e23e2106c3bb367afd32d033aae031e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
d921a4c90483b53f3c1582bb0c20ed4d

SHA1
c4d3210fbd0efbce7a02afc9a8b4a8e221450060

SHA256
23c88e8f6526fb063b584cb2ff701505004c8a032318eed063dd2d4f5e80e809

SHA512
80f4b56c1f292adf8295afd4829c337aed79230fc9aea7aa49a7e8dc878d0d1e6dcbc967fdd7dd17b2256dd20ae9e5d637c33331a9cd97fcc3f2306c2dc27c21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
94efe3d49dce86ca36b704f7ab1d844f

SHA1
dd6cee015e6567cd1ced0031c3e657d519e5144b

SHA256
24ee6475f582477109c9d71967e5d9837d413086d1672ca3159dd248bf259bcf

SHA512
f0cbb3ef12949de48c800eaf97e0899f0fed369bea8c3c0edc2f2cd0ec5037faeeead7f44b0a9c2d1ae48c9be94a9c0bd404879b468a224a70473b132a7d6cdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
d74617d7d4d1580798c66078ac706e81

SHA1
d6db560a309b53ab7d9cb09b1af38cfa72335c65

SHA256
88b010d154343eccdd04876ef965ee223fcefc0f33db78bf6ece0932e57fc9d9

SHA512
d3655683f33f866c61ff0f3ab79f64e6ad82750e40b1c2e8038155daf13a0043dd6a1ab9f12eee24a38f930392ced39e900d5830fa3ede29adf70cbf7db74ccb

Download Submit
C:\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
C:\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
C:\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
C:\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\b97572ef-dc46-4843-8588-80fb143620cd\1b91bf136ea911e84d372e78222f2a54.exe
MD5
1b91bf136ea911e84d372e78222f2a54

SHA1
58813bc4c7e6a160c127b8f222042f88fb470126

SHA256
59d0891001fbd6107176eabf298e6247ebb7c9da90e2e31c342d3333e50679c9

SHA512
9774e559ceb5ae1e6ec46ec1cc7e40c18f42837d741bd7e761b1c88c880e50507393114f3094b35888055557de88bc5a42d55f32dc19b88fda02024dbd80729e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
\Users\Admin\AppData\Local\6280c213-cf6c-4161-88ae-9425769b830a\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
memory/392-99-0x0000000000000000-mapping.dmp

Download
memory/392-107-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/552-58-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/552-57-0x0000000000424141-mapping.dmp

Download
memory/552-59-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/552-56-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/664-113-0x0000000000401AFA-mapping.dmp

Download
memory/748-121-0x0000000000401AFA-mapping.dmp

Download
memory/936-117-0x0000000000000000-mapping.dmp

Download
memory/936-119-0x000000000330D000-0x000000000331E000-memory.dmp

Filesize
68KB

Download
memory/960-54-0x00000000009F0000-0x0000000000A82000-memory.dmp

Filesize
584KB

Download
memory/960-55-0x0000000000B10000-0x0000000000C2B000-memory.dmp

Filesize
1.1MB

Download
memory/1156-97-0x0000000000000000-mapping.dmp

Download
memory/1172-87-0x0000000004790000-0x0000000004866000-memory.dmp

Filesize
856KB

Download
memory/1172-76-0x0000000000000000-mapping.dmp

Download
memory/1172-78-0x00000000002ED000-0x000000000036A000-memory.dmp

Filesize
500KB

Download
memory/1292-83-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1292-84-0x00000000004A18CD-mapping.dmp

Download
memory/1292-88-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1304-62-0x0000000000000000-mapping.dmp

Download
memory/1304-63-0x0000000000900000-0x0000000000992000-memory.dmp

Filesize
584KB

Download
memory/1396-90-0x000000000331D000-0x000000000332E000-memory.dmp

Filesize
68KB

Download
memory/1396-81-0x0000000000000000-mapping.dmp

Download
memory/1396-91-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1484-116-0x0000000000000000-mapping.dmp

Download
memory/1532-109-0x0000000000000000-mapping.dmp

Download
memory/1532-111-0x000000000335D000-0x000000000336E000-memory.dmp

Filesize
68KB

Download
memory/1556-65-0x0000000000424141-mapping.dmp

Download
memory/1556-73-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1720-98-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1720-94-0x0000000000401AFA-mapping.dmp

Download
memory/1720-93-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1800-60-0x0000000000000000-mapping.dmp

Download