djvu | b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8

Analysis

max time kernel
296s
max time network
134s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 04:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe
Size

677KB
MD5

29c90df93010a44329059fe0300d92da
SHA1

2b5da6fe0256f1f27e86d955b4c53177e91d85dd
SHA256

b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8
SHA512

a1866d160ac263c8d4a9380469a4cb0ecf6d86621c6cfef43b1eade133be3bf9e5fb0d67f63f13af72faca11af52cf06ec464378fed7c444b5553d00950bf128
SSDEEP

12288:oaTA97Ia6XHj9DF5nX7p/+haG3S/jktz0H1PiqvYWfXdQSD+YbaUcDrh:rcx+XHj5brpm0G3QjwIpi+YWfXdZK8b

Score

10^/10

djvu vidar discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://zexeq.com/test1/get.php

Attributes

extension
.cdqw
offline_id
mMsRxMUuXypapZbGOAfxD9pczHmW8zVRP7Pgjwt1
payload_url
http://brusuax.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-99MNqXMrdS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0840ASdw

rsa_pubkey.plain

Signatures

Detect Vidar Stealer 7 IoCs

stealer

resource	yara_rule
behavioral1/memory/644-99-0x0000000000220000-0x000000000024A000-memory.dmp	family_vidar_v6
behavioral1/memory/1772-101-0x0000000000400000-0x000000000063D000-memory.dmp	family_vidar_v6
behavioral1/memory/1772-100-0x0000000000400000-0x000000000063D000-memory.dmp	family_vidar_v6
behavioral1/memory/1772-95-0x0000000000400000-0x000000000063D000-memory.dmp	family_vidar_v6
behavioral1/memory/1772-190-0x0000000000400000-0x000000000063D000-memory.dmp	family_vidar_v6
behavioral1/memory/1772-210-0x0000000000400000-0x000000000063D000-memory.dmp	family_vidar_v6
behavioral1/memory/1772-252-0x0000000000400000-0x000000000063D000-memory.dmp	family_vidar_v6

Detected Djvu ransomware 14 IoCs

resource	yara_rule
behavioral1/memory/2044-7-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2044-8-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2044-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1760-4-0x0000000000AE0000-0x0000000000BFB000-memory.dmp	family_djvu
behavioral1/memory/2044-44-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2156-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2156-52-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2156-70-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2156-69-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2156-76-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2156-77-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2156-74-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2156-78-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2156-112-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

pid	Process
644	build2.exe
1772	build2.exe
596	build3.exe
1048	build3.exe
2644	mstsca.exe
2604	mstsca.exe
1988	mstsca.exe
832	mstsca.exe
1096	mstsca.exe
308	mstsca.exe
2688	mstsca.exe
3008	mstsca.exe

Loads dropped DLL 8 IoCs

pid	Process
2156	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe
2156	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe
2156	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe
2156	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2480	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d2ded7b7-d32d-4d17-a361-31a3dd943734\\b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe\" --AutoStart"	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.2ip.ua
5	api.2ip.ua
16	api.2ip.ua

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 1760 set thread context of 2044	1760	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	28
PID 2536 set thread context of 2156	2536	conhost.exe	32
PID 644 set thread context of 1772	644	build2.exe	35
PID 596 set thread context of 1048	596	build3.exe	40
PID 2644 set thread context of 2604	2644	mstsca.exe	49
PID 1988 set thread context of 832	1988	mstsca.exe	51
PID 1096 set thread context of 308	1096	mstsca.exe	53
PID 2688 set thread context of 3008	2688	mstsca.exe	55

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2576	1772	WerFault.exe	35

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2280	schtasks.exe
2260	schtasks.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2044	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe
2044	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe
2156	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe
2156	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2044	1760	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	28
PID 1760 wrote to memory of 2044	1760	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	28
PID 1760 wrote to memory of 2044	1760	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	28
PID 1760 wrote to memory of 2044	1760	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	28
PID 1760 wrote to memory of 2044	1760	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	28
PID 1760 wrote to memory of 2044	1760	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	28
PID 1760 wrote to memory of 2044	1760	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	28
PID 1760 wrote to memory of 2044	1760	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	28
PID 1760 wrote to memory of 2044	1760	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	28
PID 1760 wrote to memory of 2044	1760	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	28
PID 1760 wrote to memory of 2044	1760	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	28
PID 2044 wrote to memory of 2480	2044	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	30
PID 2044 wrote to memory of 2480	2044	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	30
PID 2044 wrote to memory of 2480	2044	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	30
PID 2044 wrote to memory of 2480	2044	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	30
PID 2044 wrote to memory of 2536	2044	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	47
PID 2044 wrote to memory of 2536	2044	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	47
PID 2044 wrote to memory of 2536	2044	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	47
PID 2044 wrote to memory of 2536	2044	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	47
PID 2536 wrote to memory of 2156	2536	conhost.exe	32
PID 2536 wrote to memory of 2156	2536	conhost.exe	32
PID 2536 wrote to memory of 2156	2536	conhost.exe	32
PID 2536 wrote to memory of 2156	2536	conhost.exe	32
PID 2536 wrote to memory of 2156	2536	conhost.exe	32
PID 2536 wrote to memory of 2156	2536	conhost.exe	32
PID 2536 wrote to memory of 2156	2536	conhost.exe	32
PID 2536 wrote to memory of 2156	2536	conhost.exe	32
PID 2536 wrote to memory of 2156	2536	conhost.exe	32
PID 2536 wrote to memory of 2156	2536	conhost.exe	32
PID 2536 wrote to memory of 2156	2536	conhost.exe	32
PID 2156 wrote to memory of 644	2156	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	34
PID 2156 wrote to memory of 644	2156	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	34
PID 2156 wrote to memory of 644	2156	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	34
PID 2156 wrote to memory of 644	2156	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	34
PID 644 wrote to memory of 1772	644	build2.exe	35
PID 644 wrote to memory of 1772	644	build2.exe	35
PID 644 wrote to memory of 1772	644	build2.exe	35
PID 644 wrote to memory of 1772	644	build2.exe	35
PID 644 wrote to memory of 1772	644	build2.exe	35
PID 644 wrote to memory of 1772	644	build2.exe	35
PID 644 wrote to memory of 1772	644	build2.exe	35
PID 644 wrote to memory of 1772	644	build2.exe	35
PID 644 wrote to memory of 1772	644	build2.exe	35
PID 644 wrote to memory of 1772	644	build2.exe	35
PID 644 wrote to memory of 1772	644	build2.exe	35
PID 2156 wrote to memory of 596	2156	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	37
PID 2156 wrote to memory of 596	2156	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	37
PID 2156 wrote to memory of 596	2156	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	37
PID 2156 wrote to memory of 596	2156	b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe	37
PID 596 wrote to memory of 1048	596	build3.exe	40
PID 596 wrote to memory of 1048	596	build3.exe	40
PID 596 wrote to memory of 1048	596	build3.exe	40
PID 596 wrote to memory of 1048	596	build3.exe	40
PID 596 wrote to memory of 1048	596	build3.exe	40
PID 596 wrote to memory of 1048	596	build3.exe	40
PID 596 wrote to memory of 1048	596	build3.exe	40
PID 596 wrote to memory of 1048	596	build3.exe	40
PID 596 wrote to memory of 1048	596	build3.exe	40
PID 596 wrote to memory of 1048	596	build3.exe	40
PID 1048 wrote to memory of 2280	1048	build3.exe	39
PID 1048 wrote to memory of 2280	1048	build3.exe	39
PID 1048 wrote to memory of 2280	1048	build3.exe	39
PID 1048 wrote to memory of 2280	1048	build3.exe	39
PID 1772 wrote to memory of 2576	1772	build2.exe	44

C:\Users\Admin\AppData\Local\Temp\b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe
"C:\Users\Admin\AppData\Local\Temp\b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe
  "C:\Users\Admin\AppData\Local\Temp\b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe"
  2⤵
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\d2ded7b7-d32d-4d17-a361-31a3dd943734" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2480
- - C:\Users\Admin\AppData\Local\Temp\b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe
    "C:\Users\Admin\AppData\Local\Temp\b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe
      "C:\Users\Admin\AppData\Local\Temp\b70087d7f98d1202412bef14f85685697fe14b29a6c0e91da315c6bcc6b253d8.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Loads dropped DLL
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build2.exe
        
        "C:\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:644
      - C:\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build2.exe
        
        "C:\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build2.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1432
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2576
    - - C:\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build3.exe
        
        "C:\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:596
      - C:\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build3.exe
        
        "C:\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build3.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1048

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\taskeng.exe
taskeng.exe {3CD12ED2-9AFA-47F7-9035-7DCC90967C99} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]
1⤵
PID:2484
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2644
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:2604
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1988
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:832
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1096
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:308
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2688
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:3008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1714357722-7643076841086459121-1004050260-1608055438-201906393-1130688999-892818354"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
60a5e0473de1471940dbbea528dd3e33

SHA1
40b5e0f3932093d5106d1bf53a912c6cd48e1e9a

SHA256
6f76f374963b90b7a8e18c72f40f8836ccef657a08530bf6539ea5bd03dbc494

SHA512
1b18e92207cb28cef1def502ad7c8a380deada35e727421b5fadf0c8f32af39675009da07aa4fdbeb4693b516b354d0d369faf96f8f39a53b8ed81680eae5c30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
42KB

MD5
05dd11036fb260aa51cab073f8631e4f

SHA1
e52ea487e23d4249f64ca581c32d688a3c7390ba

SHA256
0d638225f825bd02137a1688a0b6a88c256f742b12b2ae7dfc8b01ac70fbdd61

SHA512
55a5f4b22707e699d62b2322c97370aa67ff2496c81c64325755d5f8753b95e429b077fbc94aee30f263c8065a2069ffc2a4eb9d7ca03b943ba379ae80567a02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
1KB

MD5
1f1a3b101012e27df35286ed1cf74aa6

SHA1
46f36d1c9715589e45558bd53b721e8f7f52a888

SHA256
7f0b1fe38c7502bea9c056e7a462ab9f507dd9124f84b1d4666fb7d37cf1b83c

SHA512
d6f6787de85049d884bf8906292b0df134287cc548f9f3fadd60d44545652d55c296ed50e72687f776f0bf6b131102b4bf9b33143998cb897f21427fbc8306a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
00dfcede93e66b869f9983f1dad60261

SHA1
e5d6162dd717e0b8b1b8390e5ece02c9cd7ac02b

SHA256
fb7f68aa89364143d5d56d8dd0b6f47c84f7b8337ff89b7644dcb4ffdea928cf

SHA512
8dbd41420290ce018a9f1359b6ead95b1408489ddddcf94c5b5f6fb2fcb81f52a7d1457e900c10efb7b92af5fcc06b6cae308444b79dee1421ddc4a890884f94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
1b166346b3f0c044828a8331c49080fc

SHA1
da69ff6438af467a729e631451df7c9391593882

SHA256
5cc63bbaf68f64e708fbde435cb260f3fb532844994c13e49b099102d40c7f4e

SHA512
9745215e19a1a954e6a91c41ba736fae01220bdc173f264d6eb27359c37c3d7d23b159d2a6d06d5a3352a39e2987e5a68b0e724990e6165606403a4367ce87db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e4a00437d58a1aada02195229e6b5f4

SHA1
4126c779dc2a66c784893bab5a52f314213f5d15

SHA256
a10f09c8b59d0fab470efe9dbcfe1674fa1d43e773bd672e8be0f6dd37468ac5

SHA512
e46d1d4c8ca40b805e9e6c8b2a9bc3740012a32cabc7ac2510d6d0dca9789efc63cb5233b1979e601cca51469298843236e700914f520f86649a894c9cd8fcb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb91ac51c96cedc0f49d250851457b9c

SHA1
66b02303722461da5bb22d16a13219514879118b

SHA256
5e9e7a5f2933814952c730fb53621405438e1dbcab68d0cbec84e23ebdd04bd2

SHA512
fe9a14bc38dcdb917c06ee4b5a995442995494ab49d817c1ed7d44288e2dd1bd96cb11ab299f8ff0ad964d28dde5c8af7c9c9a3a362c25e74b693baf61488b3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
48fc4598c510697cff0e957cd6363432

SHA1
e5d54d06449bba7b87f400f51a906e4e7ef5b32b

SHA256
39a5e8db4f563cbc53bc453b196fe9fd6a17f9c4e4cd5e1a9b3cfc60045ea59d

SHA512
a75b3a7cabc7378682be15970cf53199cee55fb71999e643f319f9ea04c6bf87bbf2fc1238bbe3ef45dec2783a6aac0dd8d415e8cd429250d819f5a660f4d67c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
461067596de0244376543702d8d82a30

SHA1
81882ab2617328e9b9affdc3034d990e544fcce0

SHA256
d8e4c6064657d92c89946e577a67c3c28cc438b4fee06511b4fa160cbc1d4068

SHA512
5374edbd99056e44f92257a37d952a674a3ac962074a84b61ba1feff277b455be807502c1544dd274ae0400b84668bb9dfdcf7e9b613805f1129cc53b8369f09

Download Submit
C:\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build2.exe

Filesize
22KB

MD5
29cb96df2e930e06b8a7d65934a6dad8

SHA1
e2e43b49886ba183bb5fac611e9acd523b41712f

SHA256
6e5a998bc901aa474b09da825d3ba7088f65c792d8acf21f449037bc12e84418

SHA512
674b792fd9544fbf0b875e5716c04ff69f3ebcd7b261f56edad6f7c44a3abdb46904278b4c9ae166cd9b93e750a2ab27955881537dd2fb869d101d138ca9b902

Download Submit
C:\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build2.exe

Filesize
24KB

MD5
56a89514bc2582849f7078b71ee1a4c7

SHA1
a717f56078bd8d45ec2883c32c0b4a1eada4759b

SHA256
928e81f99b4275e6e9bc5328b271acc82332c3dcd35a85f91a52a12df4e1264e

SHA512
335e362856778f189fb4307ecb75e83de9aaebf1da99af2971a6bf739b98cdb4f256ba43eb9b207f7a5f513df7d9963a5b59094c9b6ce26bb501d2259689d1f1

Download Submit
C:\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build2.exe

Filesize
1KB

MD5
0a253894f954cb763ebb66c5d1111c0a

SHA1
2b03cee02974519b7689fd2e9f853ec7ceba31eb

SHA256
9295b5a69cb309825ad7d39d04374939ec47aaef6eed9a929acd6b888bc824be

SHA512
463ac64216369400247fd88a299f38c75400836734de228c1930bd8fa1680a679fdb32052af2994605a19f05313ac8350091e75f01fddc228d96a726a0401641

Download Submit
C:\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build2.exe

Filesize
45KB

MD5
f1ce5db3766f18894aee5e57f5d8280c

SHA1
673219c4db54c491de341fc900afc5b8d925d532

SHA256
e4fb2ce011c30d695938df7b275f573c62437c102a47e3083805732629330b72

SHA512
e4a3ccb90502ddf3e92cc27b6d2f37efe9ec1c7b73885deeefa12577aa9579886b698a9f28d91737253b0db0b878d5a62715c6f76b8c0aee46196a40ba474df0

Download Submit
C:\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build3.exe

Filesize
7KB

MD5
6806b7628d199ace7ec289c96597afe6

SHA1
219462f17e73762d177e59e4bdf4d11532ac2f5e

SHA256
230c740d51310e2fe38234ae7af9af9f22153ff0c62b76c68432116d25291a85

SHA512
1458a2989a964c85a90acbff633a80423fdf91ed0b5ce6010720f645b5cc2a74f86407818089487a9723df9b417a1f7577c3a1f389224d9cbefc30c0603194f8

Download Submit
C:\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build3.exe

Filesize
11KB

MD5
015da4643fad06eb2916e545d9647f84

SHA1
f6c253e5647f0bbe10a2cc922b03c757d42e918f

SHA256
f3c5ded95c69029b58c78f012d3d319d7a50c39c70265fe64eff9a7f49a730ed

SHA512
817bd7bb92a19999b740c2b6ffa7fb4d87e6d54663672655e828fa59dfecfc877071e6dddb9a5926a5bd0cd6c0cb55ff33e24afa19087707eb938045c8dcf6a9

Download Submit
C:\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build3.exe

Filesize
22KB

MD5
273d1cce69ec2344a07016f1442a02a2

SHA1
55296369e18f094ddffd1ad2f1295b33a9270d6a

SHA256
b01c21ac07b42e2248c0263b8bfd7845763fbeda8cdf7ac6021af5b5f86ebc91

SHA512
ac62bdb7d2c28c8a139a7ed9b808d3d89f511793ec1452cc44a12f23cc1afcc583b188ecb6af2b5e5ec70ba5f4c4ce46f08d4bc8d499fe5c238c9e9bad4ec92e

Download Submit
C:\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build3.exe

Filesize
78KB

MD5
768b60ba71f10a32f7e32addb81509e2

SHA1
08a50c08a76049283b900e5bdf437e91fe5155d2

SHA256
07a07f41e897518fd4c11778501371c02a2d9de1b6d9e43951ea525ea888812d

SHA512
2f368e3d45a8af0a9d07c308c88b83b2332aa808663fa17571df0b4843a940d982ce15df3b07600bf84afa8f11655b0deb5480b53eccf4576c1c1dba6de3985c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar52F1.tmp

Filesize
37KB

MD5
b69dc48dc23fe4519f5b05a00a6b22d6

SHA1
2cb64d050e90766861f401a10492be1137b2ebe0

SHA256
ebad100a857b7f4753f2011bd8be6c92b2f723323c2867763b76a2e351671cd8

SHA512
8871cc928a21acfa4ffaf7fb5cdcdd2318d1ee55179985a5fdb9450e061cc0fefd21526f266bb664343b459acac4330fa0c40457a870811413c5ed0a960085bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
39KB

MD5
0e94453e79ef24cc819253687ea88fb3

SHA1
829ad18da6330fbfbaa728a1eb0f18961e5d39ba

SHA256
6213467e0db4da0e0a34184552b15c3db102ec4c3f9bdf86057905ffb384db6f

SHA512
46e85c7c258505f1af2b7d2565deef6e16f119c177bfaab81e0a06218f5824ad9bffcb2b5049404a800c9d2f5aa543287275b84abead4d1fd5495a2b143f6860

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
15KB

MD5
6cab20be7e34bd0998c6aa930cb73222

SHA1
462a3088c11fdae94256ae4582dc3e533da9255f

SHA256
f1f8f11889900a80c72878829d381d503d957c6bf25a11c442d7057967edd5af

SHA512
21da02bd0215a50150859a2eb3a266edd2d2627d9f6ede05a01aae85d27f7e86805e9d7351878f8c26bcc59faece9a7ed003f463b400f8cfe24344c1209ec719

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
24KB

MD5
4de6b663807bf43bf72e41fbdf58bfc1

SHA1
03b4b7b94e57c05fee80cc0272032b664a0d4f2d

SHA256
63b8ec6f0e5905bed9ee1da673e0d2568fb32b7655b847c3881da1a607083f0e

SHA512
445afb6a1808c11230f8a0d29ddb6c5d7378c7ad36fb3b2f9f5b8ee743749cc3aa3f659b823b3f53c0f936090932cc2704168923c5183a4d2aa6782cb370ed20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
63KB

MD5
e399e19eb91d465adb0a879bc5e5446f

SHA1
4153d3586a3d110e87d71bf5ab92e3b79c579bd0

SHA256
81ce6d8abf9ca73281789c98443acabffebba30a7f4da7bb126731886e06caec

SHA512
57c231b1f9df4c55f7d4ecd7c0a0ace8321a27489c3a49bb595a98554fe6cbc0390036f5bf94b17619bb15096e5bc97fb146a6867194a4707593dc0d3a027915

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
170KB

MD5
97640e35c2e404992570a00cc36fd41a

SHA1
842673bebcbdfa6c13cc4e2a34eda00c59bd31c5

SHA256
d3f007aab6a0a90cc99ecf2f639176012ad4398a82a78f29212c1cfece02983b

SHA512
f6ceb042b8090e1656e57daf849289620b38df89e9b31d6c8154a68fb75ea522674fe459406f8951ea8377120e2bbef496ea7069d06cb92e4b0068e91b439e52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
111KB

MD5
2d5df992508a991ca104f927ef376b88

SHA1
cfbcd3fc74f7f5973370c1195fd35fd8184fe237

SHA256
6dfd81debd46b583ecfc68d82bbb529c0fcaa266d88e18d2f83ee54d23388814

SHA512
34d6105ce79b78a6b8a72c14eabf3b152325cb367cec2b35a6ffa7442aaaee37bf43b62a5e5c56cf69c9e626b96b4561596fc03c4b053731e2fb8ca0dff5de59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
75KB

MD5
0c99beb4b11ee926c8fa571256626596

SHA1
f8a096f3358fc2f429dd8744d8bb1631f85d8358

SHA256
a47e82b795505c9799bdcf424558da31f21dc710dfdac79f2c37ba4608f03cb1

SHA512
6839360ebaaf319d86e5a144669dcaac2bbb44b6bf9241b85d66a48d3fe363731e6efab7ced0d9874eab1faa4e8b196208d1bd720af1204d4d6dffa828297f0b

Download Submit
\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build2.exe

Filesize
42KB

MD5
515e90c64815c03c33db6299e18e32d4

SHA1
ae224fee19bf211809098f7874bc304bd02ad3cd

SHA256
8cf751730407cdb453f9adf65618f67c1762e102abe3e6a3914cf82df09be190

SHA512
a317749dca21d0128a7786336aaea5fc50da4afb93319187c6e998258fbeee089f0ba2d400828fbf0a6015a450ceae31bb786162eaf32540cd9a3e6b688fdf42

Download Submit
\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build2.exe

Filesize
6KB

MD5
1df24e4ba28a65898905ef0d451cfdbe

SHA1
d50e07cb2fde282c79c8d388bfc4fa0401826853

SHA256
8670dd6d2e4ba9ef2928adc4c6ef1362a8b86e340f8a1558aac668ad10a2c7a4

SHA512
26978ae11f3b6e251ce3ed5fd690d8ce93b036bf89a7b00a20c867eacfed8ef7d9a65b40cd03f5c8e1955344e9f56bec3d19c5657f4c216118c8231761f7f7e6

Download Submit
\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build2.exe

Filesize
111KB

MD5
b42ea15d6d56c21f01002b981e282ced

SHA1
98e4142719e01ca9aeff28053b174fa21cf6310a

SHA256
7ff32db186eeb4a6a5a249995f83a0ec441b22bb5800606364d6688fe119620c

SHA512
3266ead1d7c8013395f35499b48b2fc963f429c4a15632c3e9b2528f57954ee52c3fa4eb023411c3daa94aaa67fd604809ced30894116f197f5f0c78b9eecf47

Download Submit
\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build2.exe

Filesize
9KB

MD5
76573c1a13a05975cb56ef1b3e1dc31c

SHA1
d867e31f148c93344a85419021a8631f08df6643

SHA256
9876d7775ad15336c6a7cf45671c86520f75807113f4fd337db514873f2ff272

SHA512
9024f27803720fb3fa829dcab03027a6d269477b8855f7c67c87f7f27abc4f96d35e4d53d716ec684fb643ff89d928c36463575dde08852d562293760c08b425

Download Submit
\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build2.exe

Filesize
17KB

MD5
4badae1ccb2023486e621ea5f05b3593

SHA1
745c79a0a0b0e9c14ffd7fc4d1dee035b0867697

SHA256
88edf9779e137a54e20c63f8f4ad32bd4386d48a7c06e5236c743535517a4003

SHA512
f62bc102c71dc5123ec407d91e15770786e3a09bb320c95d722fef97dcfc09a9b2c18beeb8644104b13e38d65ee3827952d58b6d4c43ae0fa20fee6a4aea05b5

Download Submit
\Users\Admin\AppData\Local\21abc4b2-de7f-4bb3-9829-2621d719fe3f\build3.exe

Filesize
1KB

MD5
d35c806c95b926208b06f305860de044

SHA1
fd111b2072749c0e2b3f1bb7102e4fbcdd8b931b

SHA256
722325dfc7e0a3d8b9c5bcf978e54f9a90a83ffa5d14372a51dc7c3609fee061

SHA512
cb5f66f83bd6a8ddad6d740479d17352d3a8249ab6fec7ea0ee071dcc7f9855ed378dee61bb65e92d272e3fb8187282ce08d0694550cfa610bf6e6508ec5b6a6

Download Submit
memory/596-119-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/596-117-0x0000000000930000-0x0000000000A30000-memory.dmp

Filesize
1024KB

Download
memory/644-98-0x0000000000920000-0x0000000000A20000-memory.dmp

Filesize
1024KB

Download
memory/644-99-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1048-120-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1048-123-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1048-125-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1096-317-0x00000000009B2000-0x00000000009C2000-memory.dmp

Filesize
64KB

Download
memory/1760-1-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/1760-4-0x0000000000AE0000-0x0000000000BFB000-memory.dmp

Filesize
1.1MB

Download
memory/1760-0-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/1772-95-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/1772-100-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/1772-190-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/1772-210-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/1772-101-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/1772-252-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/1988-289-0x0000000000332000-0x0000000000342000-memory.dmp

Filesize
64KB

Download
memory/2044-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2044-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2044-7-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2044-44-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2044-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2156-77-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2156-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2156-52-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2156-70-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2156-69-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2156-76-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2156-74-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2156-112-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2156-78-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2536-46-0x0000000000320000-0x00000000003B1000-memory.dmp

Filesize
580KB

Download
memory/2536-51-0x0000000000320000-0x00000000003B1000-memory.dmp

Filesize
580KB

Download
memory/2644-260-0x0000000000A02000-0x0000000000A12000-memory.dmp

Filesize
64KB

Download
memory/2688-346-0x0000000000312000-0x0000000000322000-memory.dmp

Filesize
64KB

Download