Malware Analysis Report

2024-10-19 02:54

Sample ID 221201-ea5teafb2x
Target f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95
SHA256 f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95
Tags
djvu vidar 517 discovery persistence ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95

Threat Level: Known bad

The file f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95 was found to be: Known bad.

Malicious Activity Summary

djvu vidar 517 discovery persistence ransomware stealer

Detected Djvu ransomware

Djvu Ransomware

Vidar

Executes dropped EXE

Downloads MZ/PE file

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-01 03:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-01 03:45

Reported

2022-12-01 03:48

Platform

win10v2004-20221111-en

Max time kernel

162s

Max time network

184s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9eba9974-5b95-4fdc-88a3-484078cd628c\\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3288 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 3288 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 3288 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 3288 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 3288 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 3288 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 3288 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 3288 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 3288 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 3288 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 1148 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Windows\SysWOW64\icacls.exe
PID 1148 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Windows\SysWOW64\icacls.exe
PID 1148 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Windows\SysWOW64\icacls.exe
PID 1148 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 1148 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 1148 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 2288 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 2288 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 2288 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 2288 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 2288 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 2288 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 2288 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 2288 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 2288 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 2288 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe
PID 2196 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe
PID 2196 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe
PID 2196 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe
PID 2616 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe
PID 2616 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe
PID 2616 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe
PID 2616 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe
PID 2616 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe
PID 2616 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe
PID 2616 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe
PID 2616 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe
PID 2616 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe
PID 2196 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build3.exe
PID 2196 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build3.exe
PID 2196 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build3.exe
PID 4296 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 4296 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 4296 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build3.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe

"C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe"

C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe

"C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\9eba9974-5b95-4fdc-88a3-484078cd628c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe

"C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe

"C:\Users\Admin\AppData\Local\Temp\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe

"C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe"

C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe

"C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe"

C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build3.exe

"C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
N/A 51.105.71.136:443 tcp
N/A 8.8.8.8:53 api.2ip.ua udp
N/A 162.0.217.254:443 api.2ip.ua tcp
N/A 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
N/A 93.184.221.240:80 tcp
N/A 40.126.32.134:443 tcp
N/A 93.184.221.240:80 tcp
N/A 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
N/A 8.8.8.8:53 crl.usertrust.com udp
N/A 104.18.32.68:80 crl.usertrust.com tcp
N/A 40.126.32.133:443 tcp
N/A 8.8.8.8:53 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa udp
N/A 162.0.217.254:443 api.2ip.ua tcp
N/A 172.64.155.188:80 crl.usertrust.com tcp
N/A 8.8.8.8:53 uaery.top udp
N/A 8.8.8.8:53 fresherlights.com udp
N/A 109.102.255.230:80 uaery.top tcp
N/A 46.195.100.42:80 fresherlights.com tcp
N/A 46.195.100.42:80 fresherlights.com tcp
N/A 93.184.221.240:80 tcp

Files

memory/1148-132-0x0000000000000000-mapping.dmp

memory/1148-133-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3288-134-0x000000000223E000-0x00000000022D0000-memory.dmp

memory/1148-135-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3288-136-0x0000000002390000-0x00000000024AB000-memory.dmp

memory/1148-137-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1148-138-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4328-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\9eba9974-5b95-4fdc-88a3-484078cd628c\f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95.exe

MD5 cf71bc7cbcd455475e601421ae0a09f6
SHA1 7de15815b0885340bb5a45887fb98a8b225b1633
SHA256 f0cc9991ad44aa04727f3da3b5cc13ec343a838fc3d60cdfdb457c6443714d95
SHA512 83422baa07f1c00ed240b8f946a1f3ef51b6be491dd8aebd4216de3efd306a6cd849c0c36bd3c8c0e7fa883e96bce01c9f9d0c32738bcf0c78ec91b517372ff8

memory/2288-141-0x0000000000000000-mapping.dmp

memory/1148-142-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2196-143-0x0000000000000000-mapping.dmp

memory/2288-145-0x0000000002115000-0x00000000021A7000-memory.dmp

memory/2196-146-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2196-147-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2196-149-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 916c512d221c683beeea9d5cb311b0b0
SHA1 bf0db4b1c4566275b629efb095b6ff8857b5748e
SHA256 64a36c1637d0a111152002a2c0385b0df9dd81b616b3f2073fbbe3f2975aa4d8
SHA512 af32cffea722438e9b17b08062dc2e209edc5417418964ead0b392bd502e1a647a8456b2ee2ea59faf69f93d0c6ea6f15949b6c30924db7da65b91cb18e8dc6c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 e815cc92bc850d3c7595172fe43f9e0b
SHA1 8a834b79537aad1763379fc3c433158d22c9323b
SHA256 ad9687e8531d5a7472ed2f615dbdd36256166040e567081a0a07b15efcf16c62
SHA512 7de5723fb554a4989006f4c91bc03b0b131d381e04658ec331b078d4dfb1ccd8f934f47ca470f9e130a5918fa802621a0917ec8e88194bcf76a1290da1e53986

C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe

MD5 b9212ded69fae1fa1fb5d6db46a9fb76
SHA1 58face4245646b1cd379ee49f03a701eab1642be
SHA256 7a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19adeda48b49acb20e16f
SHA512 09cab8ccedb9e53d6d2725e8b9dbbe8fa9552607a58d89876b6539a6612b2e7ac0440ef281971bec9191510915fa6264048510add493e6a862b0d3b4f006e342

memory/2616-152-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe

MD5 b9212ded69fae1fa1fb5d6db46a9fb76
SHA1 58face4245646b1cd379ee49f03a701eab1642be
SHA256 7a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19adeda48b49acb20e16f
SHA512 09cab8ccedb9e53d6d2725e8b9dbbe8fa9552607a58d89876b6539a6612b2e7ac0440ef281971bec9191510915fa6264048510add493e6a862b0d3b4f006e342

memory/4452-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build2.exe

MD5 b9212ded69fae1fa1fb5d6db46a9fb76
SHA1 58face4245646b1cd379ee49f03a701eab1642be
SHA256 7a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19adeda48b49acb20e16f
SHA512 09cab8ccedb9e53d6d2725e8b9dbbe8fa9552607a58d89876b6539a6612b2e7ac0440ef281971bec9191510915fa6264048510add493e6a862b0d3b4f006e342

memory/4452-156-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4452-159-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2616-158-0x000000000058E000-0x00000000005BA000-memory.dmp

memory/2616-161-0x0000000002070000-0x00000000020BB000-memory.dmp

memory/4452-160-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4452-162-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2196-163-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4296-164-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\d00f7f6e-cd23-4782-ab7c-8f3a3b72bfce\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/1580-167-0x0000000000000000-mapping.dmp