djvu | c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d

Analysis

max time kernel
140s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
Size

823KB
MD5

eee7d75d98bb405f19224241fdc63c66
SHA1

80f225f35e1345b576117c9f964f6c7b83fbb156
SHA256

c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d
SHA512

d9fe73593fcedc49e98612cdc1594eeb57fad15628b10a2bbac2ac9726f731163961e42410400304305b764f795092ac54ff26f178a47eac461d57e40bb32122

Score

10^/10

djvu vidar 517 discovery persistence ransomware spyware stealer suricata

Malware Config

Extracted

Family

djvu

http://ugll.org/test1/get.php

Attributes

extension
.dfwe
offline_id
eBNgvyGQV1Hmt9DBdxVRs8qPi1agsS7OaohPmit1
payload_url
http://zerit.top/dl/build2.exe
http://ugll.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-j3AdKrnQie Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: admin@helpdata.top Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0480JIjdm

rsa_pubkey.plain

Extracted

Family

vidar

Version

52.1

Botnet

517

https://t.me/verstappenf1r

https://climatejustice.social/@ronxik312

Attributes

profile_id
517

Signatures

Detected Djvu ransomware 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4068-131-0x0000000002210000-0x000000000232B000-memory.dmp	family_djvu
behavioral1/memory/2516-133-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2516-134-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2516-135-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2516-136-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4864-142-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4864-144-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4864-149-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata

Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1556-154-0x0000000000400000-0x000000000044C000-memory.dmp	family_vidar
behavioral1/memory/1556-156-0x0000000000400000-0x000000000044C000-memory.dmp	family_vidar
behavioral1/memory/3540-158-0x0000000000920000-0x0000000000969000-memory.dmp	family_vidar
behavioral1/memory/1556-159-0x0000000000400000-0x000000000044C000-memory.dmp	family_vidar
behavioral1/memory/1556-160-0x0000000000400000-0x000000000044C000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

build2.exebuild2.exe

pid process

3540 build2.exe
1556 build2.exe

pid	process
3540	build2.exe
1556	build2.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe

Loads dropped DLL 2 IoCs

Processes:

build2.exe

pid process

1556 build2.exe
1556 build2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

4300 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1556	build2.exe
1556	build2.exe

pid	process
4300	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\260eeeb6-885c-435b-b6bc-b24cb2b18793\\c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe\" --AutoStart"	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 api.2ip.ua
12 api.2ip.ua
17 api.2ip.ua

flow	ioc
11	api.2ip.ua
12	api.2ip.ua
17	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exebuild2.exe

description	pid	process	target process
PID 4068 set thread context of 2516	4068	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 3552 set thread context of 4864	3552	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 3540 set thread context of 1556	3540	build2.exe	build2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exebuild2.exe

pid	process
2516	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
2516	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
4864	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
4864	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
1556	build2.exe
1556	build2.exe
1556	build2.exe
1556	build2.exe
1556	build2.exe
1556	build2.exe
1556	build2.exe
1556	build2.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exebuild2.exe

C:\Users\Admin\AppData\Local\Temp\c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
"C:\Users\Admin\AppData\Local\Temp\c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4068

C:\Users\Admin\AppData\Local\Temp\c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
"C:\Users\Admin\AppData\Local\Temp\c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\260eeeb6-885c-435b-b6bc-b24cb2b18793" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:4300

C:\Users\Admin\AppData\Local\Temp\c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
"C:\Users\Admin\AppData\Local\Temp\c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3552

C:\Users\Admin\AppData\Local\Temp\c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
"C:\Users\Admin\AppData\Local\Temp\c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4864

C:\Users\Admin\AppData\Local\4e170150-8058-4b7e-986f-609b603ed755\build2.exe
"C:\Users\Admin\AppData\Local\4e170150-8058-4b7e-986f-609b603ed755\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\Local\4e170150-8058-4b7e-986f-609b603ed755\build2.exe
"C:\Users\Admin\AppData\Local\4e170150-8058-4b7e-986f-609b603ed755\build2.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
727B

MD5
93995ad095112907cfc088998c161574

SHA1
518c7127e11809bb74ff0f68ea7e86ea5aebc798

SHA256
fd16d238bcac3441688e7ca940c27bb02df8f0bf43b26d8e551414a18748c1cc

SHA512
c2a3153c65f0acbc821bf663b38591821402d9a00680e2e22f410bf1735752194c08b96f77b7e6712082584a8b6605f7ab9552ad2f6c193fbd13c90bb60436e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
471B

MD5
c04f441d0220712231531a90823834db

SHA1
68dd18f1e0c51f1fdc4621394091a2dad08e4a08

SHA256
055641d3987ae98e2dd627d3214ea8084ae773a3df9592191b86977c752a29e7

SHA512
3156cf79585a45d919d4b27da4fe860f06e3206961fe1d20347ad74ef17de81c47857f35acd5cda3fae5ade28ab9747529ea3e8e79ca80aaf98e1f0e852bed53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
402B

MD5
b60f3a1dde35bc1fe73d86cebf37b834

SHA1
ad0f650273bccd8aaf6d627609f55bc5824cc5c6

SHA256
b49f18af1fbd41c9283d4eebff619b5c08fdb4b31e199328c50979578eb806b0

SHA512
ccf8b09c8863a78ff62ce2079445c831622943cd57797090901ab79c4977edf42603575e61a11cd69867a1c72ff6ea89d7bfc94e69e1918899cda3ec4ac7419e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
396B

MD5
7d4f96d2be12bb63c9f575bcbc39b944

SHA1
7de83f7d7b95dd90e8fcb1c408f8772bcaa9b731

SHA256
6a93a740c766b20ba74698e87f173d136286b29dc45b61c6e46d9d25ffa49077

SHA512
d459732675c50d309be94d392dc223789ca618f062033641880f8b2207f87c070cc3fa35fa384d4033894c418255895ee595387c7c6ab756f69fa798ce306358

Download Submit
C:\Users\Admin\AppData\Local\260eeeb6-885c-435b-b6bc-b24cb2b18793\c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
Filesize
823KB

MD5
eee7d75d98bb405f19224241fdc63c66

SHA1
80f225f35e1345b576117c9f964f6c7b83fbb156

SHA256
c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d

SHA512
d9fe73593fcedc49e98612cdc1594eeb57fad15628b10a2bbac2ac9726f731163961e42410400304305b764f795092ac54ff26f178a47eac461d57e40bb32122

Download Submit
C:\Users\Admin\AppData\Local\4e170150-8058-4b7e-986f-609b603ed755\build2.exe
Filesize
367KB

MD5
3107999f9600f5f2bc88e17282da2773

SHA1
8862f9551fdb7dc30e135c556751b973f441e7b4

SHA256
aacab9cbbf292403a63bcfd1f6f0a9e534ac39aab406f2c9d7aa98b719f3801f

SHA512
50c66565fc457b848014eaf70b3f7cc408e8a818bd29c80daf53597a44c182d26649c249a6e3fe7e6516fc7ff7e7026f3aff4b25ee48645789fa6cd3d3e2f338

Download Submit
C:\Users\Admin\AppData\Local\4e170150-8058-4b7e-986f-609b603ed755\build2.exe
Filesize
367KB

MD5
3107999f9600f5f2bc88e17282da2773

SHA1
8862f9551fdb7dc30e135c556751b973f441e7b4

SHA256
aacab9cbbf292403a63bcfd1f6f0a9e534ac39aab406f2c9d7aa98b719f3801f

SHA512
50c66565fc457b848014eaf70b3f7cc408e8a818bd29c80daf53597a44c182d26649c249a6e3fe7e6516fc7ff7e7026f3aff4b25ee48645789fa6cd3d3e2f338

Download Submit
C:\Users\Admin\AppData\Local\4e170150-8058-4b7e-986f-609b603ed755\build2.exe
Filesize
367KB

MD5
3107999f9600f5f2bc88e17282da2773

SHA1
8862f9551fdb7dc30e135c556751b973f441e7b4

SHA256
aacab9cbbf292403a63bcfd1f6f0a9e534ac39aab406f2c9d7aa98b719f3801f

SHA512
50c66565fc457b848014eaf70b3f7cc408e8a818bd29c80daf53597a44c182d26649c249a6e3fe7e6516fc7ff7e7026f3aff4b25ee48645789fa6cd3d3e2f338

Download Submit
memory/1556-160-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1556-159-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1556-156-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1556-161-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/1556-154-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1556-153-0x0000000000000000-mapping.dmp

Download
memory/2516-136-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2516-135-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2516-134-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2516-133-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2516-132-0x0000000000000000-mapping.dmp

Download
memory/3540-150-0x0000000000000000-mapping.dmp

Download
memory/3540-157-0x0000000000566000-0x0000000000591000-memory.dmp

Filesize
172KB

Download
memory/3540-158-0x0000000000920000-0x0000000000969000-memory.dmp

Filesize
292KB

Download
memory/3552-143-0x00000000007E1000-0x0000000000873000-memory.dmp

Filesize
584KB

Download
memory/3552-139-0x0000000000000000-mapping.dmp

Download
memory/4068-130-0x00000000007D6000-0x0000000000868000-memory.dmp

Filesize
584KB

Download
memory/4068-131-0x0000000002210000-0x000000000232B000-memory.dmp

Filesize
1.1MB

Download
memory/4300-137-0x0000000000000000-mapping.dmp

Download
memory/4864-149-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4864-144-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4864-142-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4864-140-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 4068 wrote to memory of 2516	4068	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 4068 wrote to memory of 2516	4068	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 4068 wrote to memory of 2516	4068	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 4068 wrote to memory of 2516	4068	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 4068 wrote to memory of 2516	4068	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 4068 wrote to memory of 2516	4068	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 4068 wrote to memory of 2516	4068	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 4068 wrote to memory of 2516	4068	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 4068 wrote to memory of 2516	4068	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 4068 wrote to memory of 2516	4068	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 2516 wrote to memory of 4300	2516	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	icacls.exe
PID 2516 wrote to memory of 4300	2516	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	icacls.exe
PID 2516 wrote to memory of 4300	2516	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	icacls.exe
PID 2516 wrote to memory of 3552	2516	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 2516 wrote to memory of 3552	2516	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 2516 wrote to memory of 3552	2516	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 3552 wrote to memory of 4864	3552	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 3552 wrote to memory of 4864	3552	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 3552 wrote to memory of 4864	3552	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 3552 wrote to memory of 4864	3552	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 3552 wrote to memory of 4864	3552	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 3552 wrote to memory of 4864	3552	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 3552 wrote to memory of 4864	3552	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 3552 wrote to memory of 4864	3552	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 3552 wrote to memory of 4864	3552	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 3552 wrote to memory of 4864	3552	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
PID 4864 wrote to memory of 3540	4864	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	build2.exe
PID 4864 wrote to memory of 3540	4864	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	build2.exe
PID 4864 wrote to memory of 3540	4864	c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe	build2.exe
PID 3540 wrote to memory of 1556	3540	build2.exe	build2.exe
PID 3540 wrote to memory of 1556	3540	build2.exe	build2.exe
PID 3540 wrote to memory of 1556	3540	build2.exe	build2.exe
PID 3540 wrote to memory of 1556	3540	build2.exe	build2.exe
PID 3540 wrote to memory of 1556	3540	build2.exe	build2.exe
PID 3540 wrote to memory of 1556	3540	build2.exe	build2.exe
PID 3540 wrote to memory of 1556	3540	build2.exe	build2.exe
PID 3540 wrote to memory of 1556	3540	build2.exe	build2.exe