djvu | a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416

Analysis

max time kernel
56s
max time network
126s
platform
windows10_x64
resource
win10-en-20211208
submitted
03-02-2022 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
Size

826KB
MD5

8c76817c2fe3ed4843cac361f6fd8d86
SHA1

f4124c09fa270df48e896072f53409fe59948291
SHA256

a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416
SHA512

8d179df5feebe0d4cb2c971ff25dc7b9b4680cb79f48e7f19eb2df74889a807a0cd7ab40b1bddaac0fa7193d0656a3c48e78706fb62b33c27772c726d557d3ac

Score

10^/10

djvu vidar 517 discovery persistence ransomware spyware stealer

Malware Config

Extracted

Family

djvu

http://fuyt.org/test1/get.php

Attributes

extension
.bbbw
offline_id
jYeuANkMCJOEtaXsN8JcBUuEjwSP20EGT4t2Nct1
payload_url
http://lencu.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-qqj8MrDVtG Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: helprestoremanager@airmail.cc Your personal ID: 0382UIhfSd

rsa_pubkey.plain

Extracted

Family

vidar

Version

49.8

Botnet

517

https://c.im/@prophef3

https://qoto.org/@prophef41

Attributes

profile_id
517

Signatures

Detected Djvu ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3616-116-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/660-117-0x0000000002430000-0x000000000254B000-memory.dmp	family_djvu
behavioral1/memory/3616-118-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3844-219-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1136-223-0x0000000000400000-0x0000000000553000-memory.dmp	family_vidar
behavioral1/memory/1136-224-0x0000000000400000-0x0000000000553000-memory.dmp	family_vidar
behavioral1/memory/1136-227-0x0000000000400000-0x0000000000553000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

build2.exe

pid process

1136 build2.exe
Loads dropped DLL 2 IoCs

Processes:

build2.exe

pid process

1136 build2.exe
1136 build2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2448 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1136	build2.exe

pid	process
1136	build2.exe
1136	build2.exe

pid	process
2448	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\58dea988-fdb1-41d5-a358-0ef419fa6b24\\a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe\" --AutoStart"	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.2ip.ua
2 api.2ip.ua
10 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

build2.exe

pid process

1136 build2.exe

flow	ioc
1	api.2ip.ua
2	api.2ip.ua
10	api.2ip.ua

pid	process
1136	build2.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exea1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe

description	pid	process	target process
PID 660 set thread context of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 2660 set thread context of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

660 1136 WerFault.exe build2.exe

pid	pid_target	process	target process
660	1136	WerFault.exe	build2.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exea1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exebuild2.exeWerFault.exe

pid	process
3616	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
3616	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
3844	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
3844	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
1136	build2.exe
1136	build2.exe
1136	build2.exe
1136	build2.exe
1136	build2.exe
1136	build2.exe
1136	build2.exe
1136	build2.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 660 WerFault.exe
Token: SeBackupPrivilege 660 WerFault.exe
Token: SeDebugPrivilege 660 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	660	WerFault.exe
Token: SeBackupPrivilege	660	WerFault.exe
Token: SeDebugPrivilege	660	WerFault.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exea1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exea1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exea1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe

C:\Users\Admin\AppData\Local\Temp\a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
"C:\Users\Admin\AppData\Local\Temp\a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:660

C:\Users\Admin\AppData\Local\Temp\a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
"C:\Users\Admin\AppData\Local\Temp\a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\58dea988-fdb1-41d5-a358-0ef419fa6b24" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2448

C:\Users\Admin\AppData\Local\Temp\a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
"C:\Users\Admin\AppData\Local\Temp\a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2660

C:\Users\Admin\AppData\Local\Temp\a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
"C:\Users\Admin\AppData\Local\Temp\a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3844

C:\Users\Admin\AppData\Local\3b1228ae-b7ff-4e4d-9138-7937fbc3f0b5\build2.exe
"C:\Users\Admin\AppData\Local\3b1228ae-b7ff-4e4d-9138-7937fbc3f0b5\build2.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 1452
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
33d1c53ba363f4e01e8a56e97a76aac1

SHA1
36b1eedb6d1e2d2898043c05f650957af0f283c9

SHA256
df3dd95a78c64e43870744ef82a86970015a666c69babd1671d26a9bfc8d7377

SHA512
786bd8f6d1b42b568261bf12a305f98a49258335d1308a1df2776ef0adbb4ce71c8c13d89105a72f098eadd52921b9784ec69b0485af21ec4c30c16e311a04a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
785fba5418a4df5e682d7a4da4ef7103

SHA1
3afe4a04cd5a58d6b51221f5a3aa2b6ee6112d33

SHA256
87f5330cc843ef52a6175dbe88046fbe75f140800a1c934b676d05b9fef2fe66

SHA512
b712943187ee2a64371be31cef6fb4d39ace66d1c308a5f3ec73cfcd684ac78d9cd9a57e0d4294f88c51c9a32c9c23955b75d4939085b2f57939befa86e1ad96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
1e044cac67a8b3a64473c98d8b8b1aa8

SHA1
1954020874f2eed8b2479d69cc55c8eb2b38e418

SHA256
5c13ff2c69fa4e164c38537ceeef234c67e89082601058f8b82049fc284c9f8e

SHA512
d5f643d4501930705226a0a6a7b1fd83f299d24453a1f07595389e7abb8fc39f40af2f2a1f580df1672cec3a50077e613b86aacac227b76005fa50c139142fc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
68591c3f1248e49e3db6ed7ad528de10

SHA1
5b465115e56aaed270d4fa72df112a1beef4756c

SHA256
55dc32f0dc2b5bfb3b77ab94b861fe3311a59c7123b17ccb9b530559b93ff7d4

SHA512
90af153afe780ae1723b10af02b1db6c1a1cf18e8bb7d83f2176f8ecb62cb7ec01643d0e5987b9445cdc1c15fd183978f7d3a34963f2e4fe9211558ef2caef8d

Download Submit
C:\Users\Admin\AppData\Local\3b1228ae-b7ff-4e4d-9138-7937fbc3f0b5\build2.exe
MD5
a96bef4d3678039d2325d8eb11a28064

SHA1
584b93829a5d0b7f8be36aadc4b4254d5905f71b

SHA256
2a16d83ed34f45fe29d37579d4b45385a4c92900ad1ed71473449af3a9062e96

SHA512
d7af7152b37524fc93f40cb3884adec1a683c84c141dda4d3eac4333e2a6c7ceb029b6b17e1d90c3f836a634bf7af7f3cf6963ae97a94265df936f9fcf812cce

Download Submit
C:\Users\Admin\AppData\Local\3b1228ae-b7ff-4e4d-9138-7937fbc3f0b5\build2.exe
MD5
a96bef4d3678039d2325d8eb11a28064

SHA1
584b93829a5d0b7f8be36aadc4b4254d5905f71b

SHA256
2a16d83ed34f45fe29d37579d4b45385a4c92900ad1ed71473449af3a9062e96

SHA512
d7af7152b37524fc93f40cb3884adec1a683c84c141dda4d3eac4333e2a6c7ceb029b6b17e1d90c3f836a634bf7af7f3cf6963ae97a94265df936f9fcf812cce

Download Submit
C:\Users\Admin\AppData\Local\58dea988-fdb1-41d5-a358-0ef419fa6b24\a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
MD5
8c76817c2fe3ed4843cac361f6fd8d86

SHA1
f4124c09fa270df48e896072f53409fe59948291

SHA256
a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416

SHA512
8d179df5feebe0d4cb2c971ff25dc7b9b4680cb79f48e7f19eb2df74889a807a0cd7ab40b1bddaac0fa7193d0656a3c48e78706fb62b33c27772c726d557d3ac

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
memory/660-117-0x0000000002430000-0x000000000254B000-memory.dmp

Filesize
1.1MB

Download
memory/1136-229-0x0000000074070000-0x0000000074161000-memory.dmp

Filesize
964KB

Download
memory/1136-223-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1136-222-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1136-224-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1136-225-0x0000000002310000-0x0000000002355000-memory.dmp

Filesize
276KB

Download
memory/1136-226-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1136-227-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1136-228-0x00000000759E0000-0x0000000075BA2000-memory.dmp

Filesize
1.8MB

Download
memory/1136-232-0x00000000725E0000-0x0000000072604000-memory.dmp

Filesize
144KB

Download
memory/1136-233-0x0000000072610000-0x0000000072744000-memory.dmp

Filesize
1.2MB

Download
memory/3616-116-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3616-118-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3844-219-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download

description	pid	process	target process
PID 660 wrote to memory of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 660 wrote to memory of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 660 wrote to memory of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 660 wrote to memory of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 660 wrote to memory of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 660 wrote to memory of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 660 wrote to memory of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 660 wrote to memory of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 660 wrote to memory of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 660 wrote to memory of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 3616 wrote to memory of 2448	3616	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	icacls.exe
PID 3616 wrote to memory of 2448	3616	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	icacls.exe
PID 3616 wrote to memory of 2448	3616	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	icacls.exe
PID 3616 wrote to memory of 2660	3616	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 3616 wrote to memory of 2660	3616	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 3616 wrote to memory of 2660	3616	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 2660 wrote to memory of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 2660 wrote to memory of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 2660 wrote to memory of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 2660 wrote to memory of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 2660 wrote to memory of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 2660 wrote to memory of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 2660 wrote to memory of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 2660 wrote to memory of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 2660 wrote to memory of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 2660 wrote to memory of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
PID 3844 wrote to memory of 1136	3844	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	build2.exe
PID 3844 wrote to memory of 1136	3844	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	build2.exe
PID 3844 wrote to memory of 1136	3844	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	build2.exe