Malware Analysis Report

2025-06-16 03:42

Sample ID 230107-1qmhnaac2w
Target 3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662
SHA256 3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662
Tags
djvu vidar 19 discovery persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662

Threat Level: Known bad

The file 3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662 was found to be: Known bad.

Malicious Activity Summary

djvu vidar 19 discovery persistence ransomware spyware stealer

Detected Djvu ransomware

Vidar

Djvu Ransomware

Executes dropped EXE

Downloads MZ/PE file

Modifies file permissions

Reads user/profile data of web browsers

Loads dropped DLL

Checks installed software on the system

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses 2FA software files, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-07 21:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-07 21:51

Reported

2023-01-07 21:53

Platform

win10-20220812-en

Max time kernel

72s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b605b19f-625e-460f-858c-d053d2deb7cf\\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 2404 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 2404 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 2404 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 2404 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 2404 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 2404 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 2404 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 2404 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 2404 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 3004 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Windows\SysWOW64\icacls.exe
PID 3004 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Windows\SysWOW64\icacls.exe
PID 3004 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Windows\SysWOW64\icacls.exe
PID 3004 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 3004 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 3004 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 2532 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 2532 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 2532 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 2532 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 2532 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 2532 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 2532 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 2532 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 2532 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 2532 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe
PID 4080 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe
PID 4080 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe
PID 4080 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe
PID 4080 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build3.exe
PID 4080 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build3.exe
PID 4080 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build3.exe
PID 4556 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe
PID 4556 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe
PID 4556 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe
PID 4556 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe
PID 4556 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe
PID 4556 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe
PID 4556 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe
PID 4556 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe
PID 4556 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe
PID 528 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 528 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 528 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 904 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe C:\Windows\SysWOW64\cmd.exe
PID 904 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe C:\Windows\SysWOW64\cmd.exe
PID 904 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1964 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1964 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4248 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 4248 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 4248 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe

"C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe"

C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe

"C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\b605b19f-625e-460f-858c-d053d2deb7cf" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe

"C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe

"C:\Users\Admin\AppData\Local\Temp\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe

"C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe"

C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build3.exe

"C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build3.exe"

C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe

"C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
N/A 168.63.250.82:80 tcp
N/A 8.8.8.8:53 api.2ip.ua udp
N/A 162.0.217.254:443 api.2ip.ua tcp
N/A 162.0.217.254:443 api.2ip.ua tcp
N/A 8.8.8.8:53 uaery.top udp
N/A 8.8.8.8:53 spaceris.com udp
N/A 178.31.8.68:80 spaceris.com tcp
N/A 211.119.84.112:80 spaceris.com tcp
N/A 211.119.84.112:80 spaceris.com tcp
N/A 8.8.8.8:53 t.me udp
N/A 149.154.167.99:443 t.me tcp
N/A 94.130.190.48:80 94.130.190.48 tcp

Files

memory/2404-116-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-117-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-118-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-119-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-120-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-121-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-122-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-123-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-124-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-126-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-127-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-125-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-128-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-129-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-130-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-131-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-132-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-134-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-135-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-136-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-137-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-133-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-139-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-140-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-141-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-143-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-142-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-145-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/2404-146-0x0000000004E00000-0x0000000004F1B000-memory.dmp

memory/2404-144-0x0000000004CD0000-0x0000000004D6D000-memory.dmp

memory/3004-147-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3004-148-0x0000000000424141-mapping.dmp

memory/3004-149-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-150-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-151-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-152-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-153-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-154-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3004-155-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-156-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-157-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-158-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-159-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-160-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-161-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-162-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-164-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-163-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-165-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-166-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-168-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-167-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-169-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-170-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-171-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-172-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-174-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-173-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-175-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-176-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-177-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-178-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-179-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-180-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-181-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-182-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-183-0x0000000076EF0000-0x000000007707E000-memory.dmp

memory/3004-201-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3452-219-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\b605b19f-625e-460f-858c-d053d2deb7cf\3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662.exe

MD5 ed41a53f55c262ef7643469f3452042f
SHA1 b52ef2e63c0fabb806c3cd1000c3cae7d1c79229
SHA256 3cfef558966c8ef8317e53989a0c965c86b35ed19692766b73979c3ae3bf0662
SHA512 42bde896d90b96c219ab266edf053a6e3b880e27971ecc207818f6558cf56107e83d241f4507591359be43480cfa975d1aba17215e15f658c6977271042161c3

memory/2532-245-0x0000000000000000-mapping.dmp

memory/3004-247-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4080-275-0x0000000000424141-mapping.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 7c56401cb6bd1ae402e06f0fe35f81c4
SHA1 b82bbb9fa39266796cafcd308ef4300fc92e3399
SHA256 0c58c7bc18d38a3096da6f3575f1c6f8d79b69382d8e89bb5fca917d3cdb7f65
SHA512 2ea607c2dc04c8ef34ecb4c4bd297e0f0882b179303565863d1745172322133b78186fa04334e82c135e25fd717719ceec917f49682a4eac37034ea87bb2b6f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 cecf05a5f8b9cfb0a56cf45a84be8668
SHA1 214a4b2f604a69362cb37885c8e1567daeb7772e
SHA256 6423fa230ecdfb9aee614c8a08e613a912886cb06b571ebdd6c09475aeb30601
SHA512 f45e9a8669d5fd9fb698ef57017d8998669c853939c818e2a53ba607a7c0b2dad7e574024887332f2dcccde66909dd3e32c1fba6a7481b2dd426431e39247090

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 411cd537dcecbf901759b8e6c1bdb076
SHA1 655df9870867a1760ad1a2c967b330c61767437a
SHA256 aa9e441c6cf813efd9ba76fe4ae52d884a5c7d222ed221903c42f09bc14eb7db
SHA512 ea780f875c86f8694f67d236a0af066b952862356edb681375e6c387103a91ce085345359f8fe83dd630d310ee6b7637512e5868951c4c257daa411ab9c03e71

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 849a6edfaf639e4829460f9a13325fb7
SHA1 6e2e148e4103c62f1a4a0d283b272285ac3ad361
SHA256 3651f18ef8c5f6d04421457eb363e091167fd7626ccc0a55553a076f5461a326
SHA512 748bbebd7ef33a70712dae334e6bfef8d9054527821561544f709ee69807e7e516071447dee76be4b1bb31f75bd12e22cff41f1b90e9d45e3638aec86fd9df7e

memory/4080-349-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4556-355-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe

MD5 8c14bb1505244971374a88f37a4ec22a
SHA1 cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0
SHA256 f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962
SHA512 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e

C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe

MD5 8c14bb1505244971374a88f37a4ec22a
SHA1 cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0
SHA256 f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962
SHA512 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e

memory/528-384-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/4556-401-0x00000000004E0000-0x000000000058E000-memory.dmp

memory/4556-404-0x0000000002080000-0x00000000020CC000-memory.dmp

memory/904-422-0x0000000000421BEC-mapping.dmp

C:\Users\Admin\AppData\Local\69d282d4-a8c0-4527-bf9c-21f541bc758f\build2.exe

MD5 8c14bb1505244971374a88f37a4ec22a
SHA1 cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0
SHA256 f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962
SHA512 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e

memory/1352-448-0x0000000000000000-mapping.dmp

memory/904-479-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4080-480-0x0000000000400000-0x0000000000537000-memory.dmp

\ProgramData\nss3.dll

MD5 bfac4e3c5908856ba17d41edcd455a51
SHA1 8eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256 e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA512 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

\ProgramData\mozglue.dll

MD5 8f73c08a9660691143661bf7332c3c27
SHA1 37fa65dd737c50fda710fdbde89e51374d0c204a
SHA256 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA512 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

memory/904-572-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1964-580-0x0000000000000000-mapping.dmp

memory/904-582-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1484-587-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/4008-643-0x0000000000000000-mapping.dmp