Malware Analysis Report

2025-08-10 18:25

Sample ID 240115-fgplfahfdm
Target 4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b
SHA256 4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b
Tags
djvu discovery persistence ransomware vidar stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b

Threat Level: Known bad

The file 4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware vidar stealer

Djvu Ransomware

Detected Djvu ransomware

Vidar

Detect Vidar Stealer

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:50

Reported

2024-01-15 04:55

Platform

win7-20231215-en

Max time kernel

300s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c684e268-3cb5-43e3-8d44-f2ae6f69bfb0\\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2520 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2520 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2520 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2520 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2520 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2520 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2520 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2520 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2520 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2520 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2080 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Windows\SysWOW64\icacls.exe
PID 2080 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Windows\SysWOW64\icacls.exe
PID 2080 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Windows\SysWOW64\icacls.exe
PID 2080 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Windows\SysWOW64\icacls.exe
PID 2080 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2080 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2080 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2080 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2732 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2732 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2732 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2732 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2732 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2732 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2732 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2732 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2732 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2732 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2732 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2676 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe
PID 2676 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe
PID 2676 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe
PID 2676 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe
PID 1344 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe
PID 1344 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe
PID 1344 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe
PID 1344 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe
PID 1344 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe
PID 1344 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe
PID 1344 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe
PID 1344 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe
PID 1344 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe
PID 1344 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe
PID 2156 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2156 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2156 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2156 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2948 wrote to memory of 2092 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2948 wrote to memory of 2092 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2948 wrote to memory of 2092 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2948 wrote to memory of 2092 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2092 wrote to memory of 568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2092 wrote to memory of 568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2092 wrote to memory of 568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2092 wrote to memory of 568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2092 wrote to memory of 568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2092 wrote to memory of 568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2092 wrote to memory of 568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2092 wrote to memory of 568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2092 wrote to memory of 568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2092 wrote to memory of 568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 568 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 568 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe

"C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe"

C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe

"C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c684e268-3cb5-43e3-8d44-f2ae6f69bfb0" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe

"C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe

"C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe

"C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe"

C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe

"C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {8B6B2ECB-6370-4A3C-9FED-C99847B1F26E} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
KR 175.120.254.9:80 brusuax.com tcp
US 8.8.8.8:53 habrafa.com udp
MX 187.209.217.243:80 habrafa.com tcp
MX 187.209.217.243:80 habrafa.com tcp

Files

memory/2520-0-0x00000000002B0000-0x0000000000341000-memory.dmp

memory/2520-1-0x00000000002B0000-0x0000000000341000-memory.dmp

memory/2520-2-0x0000000001E30000-0x0000000001F4B000-memory.dmp

memory/2080-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2080-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2080-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2080-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\c684e268-3cb5-43e3-8d44-f2ae6f69bfb0\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe

MD5 6f83cf92ac13d4f982229e5907dd66d8
SHA1 2d97ea6768afa98cd1d8ba26435f69750b024729
SHA256 4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b
SHA512 9c9e8cc5b718877934429917cf3a200900498462eda756a6567509b7e49635512b867228244a0a863f54130bf8218f67dc037fcaf6adcb1e28002d76368e6e32

memory/2732-27-0x00000000002C0000-0x0000000000351000-memory.dmp

memory/2080-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2732-29-0x00000000002C0000-0x0000000000351000-memory.dmp

memory/2676-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2732-35-0x00000000002C0000-0x0000000000351000-memory.dmp

memory/2676-36-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 bdb53c4bb86031a4bd2b0496d7a34b9b
SHA1 6bd7906b423370c4e40b5e28ff6255f8a2e0453f
SHA256 6ee1f8c0cca2b16598741fa3c9d046bda952d5e70558391584960bd74da24114
SHA512 6055e638c53bdbe203e7bfeeac65bc0d3369e888eacd9899dd76f245ff5528a9f423af3e2333d74537fe231a1233b2a17cf002d701cd924acf553df39caf8050

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3251dfddf14c93fba31b02b9ad962048
SHA1 c59021aa0c3d4e4ca7e28dae33224819174ee338
SHA256 ae4510740783cf24770ded8cd3be16f7ed2c157a6614c940f64e5a75d1a7e57d
SHA512 6aa646da18d49f3179d77feb637ab272cfa1c2c2c6b57516dc3cdbe29f4979dd0deb62a66ee19b49722517daf0bb8bf94b4b56b0f23cbbed3edc3e77861a7f6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 0cd9af3c51d9e32a2ec7a8524b34b870
SHA1 b4100571f2715642adb9d58e56dcf5d09ae065cf
SHA256 ce3e67b690fe39c7b9962a49dc9192b370b2a2c32cff485c2627b8b72f053de5
SHA512 dc4f4b8b63223531c4e7c4cac7eaded726b8ac6b91dbab092d173b17a368a0c6e83c5be9d1de89d178b06130a81481f69dbe44bf91e9ec8f2f909d2025f50fd0

C:\Users\Admin\AppData\Local\Temp\Cab6058.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2676-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2676-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2676-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2676-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2676-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2676-58-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\d79654d4-fc7c-4a13-a158-4db3cf606007\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2676-69-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1344-78-0x00000000009E2000-0x00000000009F3000-memory.dmp

memory/2156-80-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1344-79-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2156-75-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2156-82-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2092-96-0x0000000000C30000-0x0000000000D30000-memory.dmp

memory/568-99-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2124-119-0x0000000000250000-0x0000000000350000-memory.dmp

memory/2268-142-0x0000000000C30000-0x0000000000D30000-memory.dmp

memory/1980-163-0x0000000000870000-0x0000000000970000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:50

Reported

2024-01-15 04:56

Platform

win10-20231215-en

Max time kernel

297s

Max time network

297s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\481c7f21-ac5d-4aee-9a51-ecfd664acf58\\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3964 set thread context of 4380 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 392 set thread context of 2208 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 3608 set thread context of 4496 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe
PID 4956 set thread context of 4812 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe
PID 4308 set thread context of 2204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 96 set thread context of 1020 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3628 set thread context of 4148 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3668 set thread context of 1748 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3964 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 3964 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 3964 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 3964 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 3964 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 3964 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 3964 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 3964 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 3964 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 3964 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 4380 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Windows\SysWOW64\icacls.exe
PID 4380 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Windows\SysWOW64\icacls.exe
PID 4380 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Windows\SysWOW64\icacls.exe
PID 4380 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 4380 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 4380 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 392 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 392 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 392 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 392 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 392 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 392 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 392 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 392 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 392 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 392 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe
PID 2208 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe
PID 2208 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe
PID 2208 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe
PID 3608 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe
PID 3608 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe
PID 3608 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe
PID 3608 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe
PID 3608 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe
PID 3608 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe
PID 3608 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe
PID 3608 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe
PID 3608 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe
PID 3608 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe
PID 2208 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe
PID 2208 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe
PID 2208 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe
PID 4956 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe
PID 4956 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe
PID 4956 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe
PID 4956 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe
PID 4956 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe
PID 4956 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe
PID 4956 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe
PID 4956 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe
PID 4956 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe
PID 4812 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 4812 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 4812 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 4308 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4308 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4308 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4308 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4308 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4308 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4308 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4308 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4308 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2204 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe

"C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe"

C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe

"C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe"

C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe

"C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe

"C:\Users\Admin\AppData\Local\Temp\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\481c7f21-ac5d-4aee-9a51-ecfd664acf58" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe

"C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe"

C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe

"C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1912

C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe

"C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe

"C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 habrafa.com udp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
KR 123.140.161.243:80 brusuax.com tcp
UY 167.61.128.19:80 brusuax.com tcp
US 8.8.8.8:53 243.161.140.123.in-addr.arpa udp
US 8.8.8.8:53 19.128.61.167.in-addr.arpa udp
KR 123.140.161.243:80 brusuax.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 196.0.202.116.in-addr.arpa udp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/3964-4-0x0000000002280000-0x000000000239B000-memory.dmp

memory/4380-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4380-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3964-3-0x00000000021D0000-0x0000000002270000-memory.dmp

memory/4380-2-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4380-1-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\481c7f21-ac5d-4aee-9a51-ecfd664acf58\4b9684e393bcb5fb779b00fd025100bca7582a89858ce9344926ff7e3206b90b.exe

MD5 68c6dc4bb98af508ea927973c5ae1f18
SHA1 ca81b47161aa74bc8cc635aedf7a7d2b7cd030ed
SHA256 ffdb53d1a7b69bd2446cc68e43d2ef550087233baaf7e6fcbd38bf636ea2c97c
SHA512 fd780c41c06ca479bf534f72b796ce52f5e79231e28476cae66411da9822d6315b43393f99eac283c744f69f1136ccc2e5eea20ae9999d91fcb0743b93393c0e

memory/2208-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2208-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2208-23-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 f9820f1050240d3021014efb42219838
SHA1 c5defb15a3cdf647632cc8625bd0272fce8cfff8
SHA256 1035557e733a31dedccc5d68cb68367f11325673022271d8c182f1478965534d
SHA512 8f719f2e8cc6a507bf7d584511c92bb77e6df2168b4fa873cd06956d091271cdb69970eb4bc906bf0d4e49e7ebf24dd84b22369bc4f6037cdb7c372921e0c43c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 8425c2cef7881bb733698b1fa063a9b1
SHA1 2d326cdd80461c89b63107aafeb2d12c2b7c5ed4
SHA256 6052c2033ea485747a9d906774377480aa2d85fe53b578bdc23f37972615589c
SHA512 1168d0cfb1d10632c32acf8f71a847cb7749fa3f1395bde3a55ea95b9953cf8223b2bbb71f12f33242e1436bc6cfbb3c5b73f8de91738a38a409aa50b9652e27

memory/392-20-0x0000000000530000-0x00000000005C7000-memory.dmp

memory/2208-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2208-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4380-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2208-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2208-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2208-34-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe

MD5 b223eb351c231205579ab6b61e6b94fd
SHA1 5e83d6467348d00882707ed3baf54dd2673dad1c
SHA256 85dbb98e4407e2bf45898c3b7c2fb1fcf7a956a3a215743f30e1b34cf0fef3bc
SHA512 16ebfc482eb58e2b4090238c5224d554dfcb3bb7658e2216ba0c407e3643dd4f38285e963a91db7c005bf965863cd93c8360b256b833cfdad2176feb532d4ccb

C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe

MD5 aadbd6db48fbae01b6e75743bc391a5c
SHA1 7581ab5c52ffb9a5c08806cb1b008502056834a7
SHA256 63aef04f516b8815d7b5cc18d6b41554f0f5aee68c7ee1822fe3951b1b7187a1
SHA512 e1a20e288810a31973b9d050b884fa0ac7362443b723625ddc7fea97a51b53124758d06ab883eeba40e2594f3ab242b48ba83554c06b81e513cf429486d2bda8

memory/3608-50-0x00000000005C0000-0x000000000060B000-memory.dmp

memory/4496-52-0x0000000000400000-0x000000000065E000-memory.dmp

memory/4496-51-0x0000000000400000-0x000000000065E000-memory.dmp

memory/3608-49-0x0000000000620000-0x0000000000720000-memory.dmp

memory/4496-46-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build2.exe

MD5 d08e8f7e9b683a277f35f956460a7f0f
SHA1 39f6f14c5e004efe65e42a6c85f6f5810ef6c0e3
SHA256 6abf8996220322e769a32b379e1a7d01023d56fd5a28a70c12d37bc74e8e0268
SHA512 a3522d216fd6efa3f2dde539d9f8df5e7c01c6ab5411a874d245e49cc646d4a11a90949b76549e6ba4c1c744e4ead1aa60a0e5901981c7ce016058a01c430200

memory/2208-54-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe

MD5 cf4572d028de79f7c1065ecfddf3bbc8
SHA1 80c81785fc3b1a8cd65557a24be1f28e31e01709
SHA256 c9dde988a40e970985fa1fb9b7290dbf660183671beeb2283589d25a2e103f1e
SHA512 bb5f17d4b89432e882e15aca5bf53595597f2aab0ccc3e3de6e0e44f6ea2ac2b869c447b01b6058a5e0573b65b240515d5e1c4e57dd180e4a8033eaa0a32260f

C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe

MD5 9b68e88a96e9bd56293f4c8b39314178
SHA1 a510f7c3d8783d7b8c1335d648cabe70db306840
SHA256 73e41876c3fdb962cd993c53d72b055fd7554669bfa8a9ed0de2621cf92f6052
SHA512 181322e7bb160f4a6945b5cbc820e39f1ae29e84b9b60bd64e942d9f281f4599e709716bf80ec54b6c39f7f4e3d6d28ec321970ba28617af8027189951eab513

memory/2208-63-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3964-66-0x0000000002280000-0x000000000239B000-memory.dmp

memory/4496-67-0x0000000000400000-0x000000000065E000-memory.dmp

memory/4956-74-0x0000000000879000-0x000000000088A000-memory.dmp

memory/4956-77-0x0000000000810000-0x0000000000814000-memory.dmp

memory/4812-79-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 413be23c0c3b8d82d5c6ba901be6025a
SHA1 1dcbb509a094e832eb1851f4167dffdce8a8206f
SHA256 d7d0b766719ab9f192026d7bc2113a4e27648b07e8e274445b225545b57009c1
SHA512 c709e092b4ef5c9ec347a3386bb0db03efed1226805c5a5e8d22587a9ce1217998246ae72c8d4f598da285685919db626e882e4dedbbb269a1921e462cf48a8b

memory/4812-76-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\43dc69ed-a7e7-4b72-b970-0ac4f7cd5e20\build3.exe

MD5 dce34ccd95d49bdcf51fb7197b2b31df
SHA1 5cded5b4c8d8841a7841bd18b326057cebe9c49a
SHA256 ccb892eb37e550e3f37adb6a5c0b92b1eede723849119fbf1cf8a32acee6085b
SHA512 ce98019f279ac2eebb23e79d80e6ec0f298d609872b1ecfef27c1b22bee664bcc72e7770a681afaeaf0984d38474e7ad9b200a87448f298e5b200cc3b67fc1db

memory/4812-71-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 c9dd4ca6c5c1546b84baddd9cdae5e2e
SHA1 b99b7ef16c624198ed897e49dc8a32b9712f95fa
SHA256 8d5f08c10710f2e7911ef2f6d841810d8bfb498f0ec94935d2434113a983bdb4
SHA512 2734158f2fbb213f4abfe0c777cc5a6036baa71683f55e8d8f142d0b29b1e7fb895be2d8166a753e1069ebbdc4573183ed6d9653b28396d5705b588e4afcb7e2

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 d920066e6c8cbb4281cf45b0e1ac4134
SHA1 3bcf903dfac0f5ef6b5cd5e4c6a7e43e8cd1f4e4
SHA256 f35c83a16eea9da526472d30e4075443134876b979bd3ab22aae89158e999fb3
SHA512 68e6dd347de535b1d8e82fe784ca31ea71e3f35b8348caa4f1cb2a472543d8b70b1527de315a212a6d5bd00cc24a4dcbe157f11321b31223cbfbcb37f2b37b95

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/4308-102-0x000000000092A000-0x000000000093A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 06e2d3d1ff70826a19b9126473cd3b2d
SHA1 9a673b489ffb097ad3f9807e5975427857302e67
SHA256 7d11d5a5e60feba709e691f4399b833fafb20dffd6ca21ea6bc9790f25341906
SHA512 0d6b85dc7b895c499e697636bf020e301fe3adedbbed0371fe875887042902871c9fc9a49c3f6a0f1ae1319cbe35a19d3b5f47369821f2f69bb0eeae33748505

memory/1020-127-0x0000000000410000-0x00000000004D5000-memory.dmp

memory/96-124-0x0000000000AAE000-0x0000000000ABE000-memory.dmp

memory/3628-151-0x0000000000940000-0x0000000000A40000-memory.dmp

memory/3668-178-0x0000000000B10000-0x0000000000C10000-memory.dmp