Malware Analysis Report

2025-08-10 18:25

Sample ID 240115-ffygysaeh9
Target 2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470
SHA256 2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470
Tags
djvu discovery persistence ransomware vidar stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470

Threat Level: Known bad

The file 2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware vidar stealer

Detected Djvu ransomware

Detect Vidar Stealer

Vidar

Djvu Ransomware

Downloads MZ/PE file

Loads dropped DLL

Modifies file permissions

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:49

Reported

2024-01-15 04:54

Platform

win10-20231220-en

Max time kernel

299s

Max time network

293s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f9a45bb9-2be0-4b26-8abb-729ebfc89b89\\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3352 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 3352 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 3352 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 3352 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 3352 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 3352 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 3352 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 3352 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 3352 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 3352 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 4776 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Windows\SysWOW64\icacls.exe
PID 4776 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Windows\SysWOW64\icacls.exe
PID 4776 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Windows\SysWOW64\icacls.exe
PID 4776 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 4776 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 4776 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 1652 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 1652 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 1652 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 1652 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 1652 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 1652 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 1652 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 1652 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 1652 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 1652 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 4648 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe
PID 4648 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe
PID 4648 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe
PID 2720 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe
PID 2720 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe
PID 2720 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe
PID 2720 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe
PID 2720 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe
PID 2720 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe
PID 2720 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe
PID 2720 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe
PID 2720 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe
PID 1256 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 1256 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 1256 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2308 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 2308 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 2308 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 2412 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2412 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2412 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2412 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2412 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2412 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2412 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2412 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2412 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1884 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1884 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe

"C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe"

C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe

"C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f9a45bb9-2be0-4b26-8abb-729ebfc89b89" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe

"C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe

"C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe

"C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe"

C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe

"C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 habrafa.com udp
US 8.8.8.8:53 brusuax.com udp
AR 186.13.17.220:80 habrafa.com tcp
KR 175.120.254.9:80 brusuax.com tcp
US 8.8.8.8:53 220.17.13.186.in-addr.arpa udp
US 8.8.8.8:53 9.254.120.175.in-addr.arpa udp
AR 186.13.17.220:80 habrafa.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/3352-1-0x0000000002530000-0x00000000025CE000-memory.dmp

memory/3352-3-0x0000000002670000-0x000000000278B000-memory.dmp

memory/4776-2-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4776-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4776-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4776-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\f9a45bb9-2be0-4b26-8abb-729ebfc89b89\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe

MD5 b8b236e9fab508d1ed85fc4ad0843ef5
SHA1 4366140de33fd27603f8aeb5f26d395e5d9a51c8
SHA256 2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470
SHA512 fdb986be769977940c551d0d331c903879761802555fd8df9b82cc9740e28d8bbced1955bd786bee268e2bb4b3734e4ac415b29bcbf5da806b5095beb85c0f74

memory/4776-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1652-20-0x00000000009F0000-0x0000000000A92000-memory.dmp

memory/4648-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4648-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4648-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 c59cab556400eb40ceac32fe0115c947
SHA1 47ceb44cb24bba7eeb30ae84781e08ae7c857050
SHA256 7d7035b101b9ce7d06486aeb8b9e8d18c42256a05c877862126aaffb9aeb22d9
SHA512 c95d433d0bc30d9112f5002ed0083cb8283181ecae5ce8d10784248e6b0489cf8c8a406c019d84ea54f78f6cd5100a2e2fbc67703141039a108da27f77d512f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d4de3ad1154ecca1283bfbbbb10e8048
SHA1 db2ac46ef1b0b060582deab0153e4de455c9b892
SHA256 de65e26e8b0a9f86d94f13847219257bf2d7f124fd5885c4a5cf39ab7ba3e785
SHA512 1e911a0b12395be3b2a53938d1753eb667a7d836d828d13a91e5f43cb70962cf68246770b57e7214ebfeada9bd5345a12b82adacae6416e6bf18680c7f2c645d

memory/4648-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4648-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4648-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4648-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4648-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4648-41-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe

MD5 56d345a1f005ed14beb5477502cd93b2
SHA1 f070b5d8c2d986e2ba96cba32486fe75c9914a5f
SHA256 f020e2b0651312065af61565a18f24776d4952a83dbb654cb8a2894a82ca11ab
SHA512 5ea8f03e0283f14e51065b9a3fd20b2af7a98857e4744ac29096d1e4ee46c0bd2e0e093a1cc91801b0b7d3547cf71b948a03ae3e972dbd4b39cd5afffa7bd184

C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/4648-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1256-50-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2720-54-0x0000000000A30000-0x0000000000A34000-memory.dmp

memory/1256-55-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2720-53-0x0000000000AE9000-0x0000000000AFA000-memory.dmp

memory/1256-56-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1256-58-0x0000000000410000-0x00000000004D5000-memory.dmp

memory/2844-76-0x0000000000B1A000-0x0000000000B2A000-memory.dmp

memory/2412-95-0x000000000084E000-0x000000000085E000-memory.dmp

memory/1884-114-0x000000000098E000-0x000000000099E000-memory.dmp

memory/5056-137-0x0000000000A40000-0x0000000000B40000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 a4f6fffee96cda7a29579017f0899c64
SHA1 820e654a00474dfe1dede7cd921ce192310d1fa1
SHA256 2325159cd56f70a1b3eccb1b31b0c803a8e49430b62b39efafa744b805ae1467
SHA512 7c1c0d087cecb38d9b0a8a372caffc3375e95b47ae46e344c2712e386a0899326304c940e535b14e219348f25a1351bd2a020d96ba08faa0976cdc69d19647dd

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:49

Reported

2024-01-15 04:54

Platform

win7-20231215-en

Max time kernel

298s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\11da1ed9-3ab4-46ca-abb1-0fd1a7cfbc85\\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2216 set thread context of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2552 set thread context of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 740 set thread context of 2604 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe
PID 2800 set thread context of 1960 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe
PID 2104 set thread context of 2256 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3016 set thread context of 1180 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1504 set thread context of 1580 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2668 set thread context of 2248 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2216 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2216 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2216 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2216 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2216 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2216 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2216 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2216 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2216 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2216 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2308 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Windows\SysWOW64\icacls.exe
PID 2308 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Windows\SysWOW64\icacls.exe
PID 2308 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Windows\SysWOW64\icacls.exe
PID 2308 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Windows\SysWOW64\icacls.exe
PID 2308 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2308 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2308 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2308 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2552 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2552 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2552 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2552 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2552 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2552 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2552 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2552 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2552 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2552 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 2552 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
PID 3008 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe
PID 3008 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe
PID 3008 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe
PID 3008 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe
PID 740 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe
PID 740 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe
PID 740 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe
PID 740 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe
PID 740 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe
PID 740 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe
PID 740 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe
PID 740 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe
PID 740 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe
PID 740 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe
PID 740 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe
PID 3008 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe
PID 3008 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe
PID 3008 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe
PID 3008 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe
PID 2800 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe
PID 2800 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe
PID 2800 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe
PID 2800 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe
PID 2800 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe
PID 2800 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe
PID 2800 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe
PID 2800 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe
PID 2800 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe
PID 2800 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe
PID 1960 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 1960 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 1960 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 1960 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2604 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe

"C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe"

C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe

"C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\11da1ed9-3ab4-46ca-abb1-0fd1a7cfbc85" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe

"C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe

"C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe

"C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe"

C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe

"C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe"

C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe

"C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe"

C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe

"C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1460

C:\Windows\system32\taskeng.exe

taskeng.exe {4AFDD69A-4276-4491-ACB3-D1D15EC0CEEB} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
BA 185.12.79.25:80 habrafa.com tcp
KR 211.168.53.110:80 brusuax.com tcp
BA 185.12.79.25:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp

Files

memory/2216-0-0x0000000002180000-0x0000000002212000-memory.dmp

memory/2216-1-0x0000000002180000-0x0000000002212000-memory.dmp

memory/2216-2-0x0000000002220000-0x000000000233B000-memory.dmp

memory/2308-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2308-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2308-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2308-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\11da1ed9-3ab4-46ca-abb1-0fd1a7cfbc85\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe

MD5 b8b236e9fab508d1ed85fc4ad0843ef5
SHA1 4366140de33fd27603f8aeb5f26d395e5d9a51c8
SHA256 2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470
SHA512 fdb986be769977940c551d0d331c903879761802555fd8df9b82cc9740e28d8bbced1955bd786bee268e2bb4b3734e4ac415b29bcbf5da806b5095beb85c0f74

memory/2308-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2552-28-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2552-29-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2552-34-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/3008-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3008-36-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 474e8bc1d6ed0ea9ace8de2fdc236b78
SHA1 61f6de7dbfb0613de91ad30fe5a234d0ffed596a
SHA256 505a775131700a08b3a2878d4f5edcfd46f316d48baf0334348b10cc2084bb04
SHA512 1b5564e1474e5e8135ec95de74e826c34005322e2c71bfbb685decda97e73cf65b13401f318b624cec1a61eb11261cbaf3ef231d95c1517e5e4a7467930f2236

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 d3df90005c5a4c3ff5ac8e9034d57b3f
SHA1 dfa24520cfe380b7770f6114e50c6aaf2405069c
SHA256 3871b702db80ce7a24b40e8f201e2fe57c77e9844b13cbe8ce06490385fc15a2
SHA512 01a57f94756794c3b9b8448d4045810ef8f9f7df7fde649ed5f9aa33e1ffc938aaee9f811c8eada116210ae3fd32df8ea46a6ba52f558dae6cda1deba3c44d95

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5279abd0f2814821a433529fb5a3c1a
SHA1 08101db46d899c2b8d7cee24ba5c20317a93b155
SHA256 2e9b8b8f128f0fb3a724eec5edaf783b8c1d6977a9c1da15a368969a5276aed8
SHA512 cf8563f42078f4f5d7eb6c993547e2a15f9f2d9350c1df2e1ccfb34ce8bfef4399815e30ff7ffe39bfffca7fa42a62b77baab4eadf19a372e9054fc8c6f835c5

C:\Users\Admin\AppData\Local\Temp\Cab8D71.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/3008-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3008-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3008-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3008-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3008-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3008-58-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe

MD5 c4070da9f9b0581171af16e681ccdff8
SHA1 3fb4182921fdc3acd7873ebe113ac5522585312a
SHA256 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512 c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427

C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe

MD5 5fdbc7061921001b06f5bcd8f1fd3e27
SHA1 bf1bb8bc1113827f3c615352fb7105d71ebf6e4d
SHA256 4f78c94ab539b688956081dac8e29b1505192f195c3d95be26f97c6c22fd5fe1
SHA512 eafd539c4c6489f3f522f1a05be71d8693c95db24a196361814d89c4173c405fda15258746886a42d8916bc9621ad8aab2c441f6c42512d25184b8af69373588

memory/2604-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/740-78-0x0000000000460000-0x00000000004AB000-memory.dmp

memory/740-76-0x00000000002A0000-0x00000000002C7000-memory.dmp

memory/2604-79-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2604-74-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2604-84-0x0000000000400000-0x000000000065E000-memory.dmp

memory/3008-91-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\Temp\TarA3B0.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1d57fe74b613a0fbb7dfb50d72cd7f8
SHA1 88fb4afde2476c87ee1475656e3ab231de479bd2
SHA256 d7d2e38460bf8599297d1cd383cd4885c29b74e35bc5ec34dcde50bb5d678f9f
SHA512 9411e49cf815cbd07b1eff2793e1603b1a38ed3ce54ba5f91d537488478454a8abeed5f4da2510d33a0a741d1e99d7bade8b35656d3b1e54f90176a191680f47

memory/2800-194-0x0000000000970000-0x0000000000A70000-memory.dmp

memory/2800-195-0x0000000000220000-0x0000000000224000-memory.dmp

memory/1960-204-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1960-211-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1960-219-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1960-220-0x0000000000410000-0x0000000000477000-memory.dmp

memory/2604-227-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2104-243-0x0000000000900000-0x0000000000A00000-memory.dmp

memory/3016-269-0x00000000008F0000-0x00000000009F0000-memory.dmp

memory/1504-298-0x0000000000920000-0x0000000000A20000-memory.dmp

memory/1504-314-0x0000000000920000-0x0000000000A20000-memory.dmp

memory/2668-330-0x0000000000860000-0x0000000000960000-memory.dmp