Malware Analysis Report

2025-08-10 18:24

Sample ID 240115-fhgl8ahffm
Target 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95
SHA256 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95
Tags
djvu vidar discovery persistence ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95

Threat Level: Known bad

The file 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95 was found to be: Known bad.

Malicious Activity Summary

djvu vidar discovery persistence ransomware stealer

Vidar

Detected Djvu ransomware

Detect Vidar Stealer

Djvu Ransomware

Downloads MZ/PE file

Loads dropped DLL

Modifies file permissions

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:52

Reported

2024-01-15 04:57

Platform

win7-20231215-en

Max time kernel

293s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c7a8d402-37d2-464d-8f6c-8241bbef596c\\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1684 set thread context of 2752 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 2088 set thread context of 2860 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 2168 set thread context of 1260 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
PID 2248 set thread context of 1964 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
PID 2676 set thread context of 2972 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1464 set thread context of 840 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1080 set thread context of 348 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2924 set thread context of 1876 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2768 set thread context of 2672 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 1684 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 1684 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 1684 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 1684 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 1684 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 1684 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 1684 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 1684 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 1684 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 1684 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 2752 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Windows\SysWOW64\icacls.exe
PID 2752 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Windows\SysWOW64\icacls.exe
PID 2752 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Windows\SysWOW64\icacls.exe
PID 2752 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Windows\SysWOW64\icacls.exe
PID 2752 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 2752 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 2752 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 2752 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 2088 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 2088 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 2088 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 2088 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 2088 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 2088 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 2088 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 2088 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 2088 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 2088 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 2088 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 2860 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
PID 2860 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
PID 2860 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
PID 2860 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe
PID 2860 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
PID 2860 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
PID 2860 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
PID 2860 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
PID 1260 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1260 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1260 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1260 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2248 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
PID 2248 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
PID 2248 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
PID 2248 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
PID 2248 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
PID 2248 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
PID 2248 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
PID 2248 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
PID 2248 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
PID 2248 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe
PID 1964 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe

"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe"

C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe

"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c7a8d402-37d2-464d-8f6c-8241bbef596c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe

"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe

"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe

"C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe"

C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe

"C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe"

C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe

"C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 1456

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe

"C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {94260BD7-4207-46A4-87B1-94A819890B9E} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
KR 211.168.53.110:80 brusuax.com tcp
KR 123.140.161.243:80 habrafa.com tcp
KR 123.140.161.243:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp

Files

memory/2752-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2752-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2752-8-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1684-7-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/1684-4-0x0000000001E30000-0x0000000001F4B000-memory.dmp

memory/2752-9-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1684-1-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/1684-0-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\c7a8d402-37d2-464d-8f6c-8241bbef596c\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe

MD5 0a1c07d8f0a02a3b3ad87fb6770993c3
SHA1 6f2f6e352bba65133369ff22fd8d2fcd7222bb78
SHA256 3c6e60fc855b4a961ed906f36321da84cbadda7717a6596b2762d54829f96c3e
SHA512 9452393e5457c8cc8936bfe9b157886f557df699468b4c9dca7f1d91aa6e3bb34d20556987bbef5d5d3ab4f70ed8cb23b7de9ac0ea1570d819b4a3db768ce2aa

memory/2088-28-0x00000000002E0000-0x0000000000371000-memory.dmp

memory/2752-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2088-30-0x00000000002E0000-0x0000000000371000-memory.dmp

memory/2860-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2860-35-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 077d0320462b49e67107a0c054bc4e18
SHA1 eca4dbf3ba2871eb256d430bc6f19cefc937f5f9
SHA256 f940b7fbd3b64eb8680a2e8e0fe796c8185575b4de7afb8e5bd019277e2de53d
SHA512 35774686b5e99b18668ac662224a138f70a926b34a171cfafa22d2026a80c82c57f5c4deacdddebbffaf6c7c9d37052f932777321df6c1e6dcccdff6f5692981

C:\Users\Admin\AppData\Local\Temp\Cab2CAC.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 56f3a4084e5911a6842ea6491c6509d1
SHA1 4acc7dee468700dd3171444a7fffa754abade33b
SHA256 3e13aee320061b7a0087727380d216d9660c4a0ed8400bda42b297893a2cb580
SHA512 cdae98628f7ee2e547ff0f2121d12d2d82f3c5e5a81f56270edd4e801bacb15f78d433409aad15b2ce2b5b8e5eb2a0cf4fe7820884cf238612376ef5b42802d9

memory/2860-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2860-49-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 85a3356dc69b9ba81a1200a295775c69
SHA1 d2570084703e635ddc5d64b3e29aaee0458904ce
SHA256 7ff66131a092b016d48507adbd45eae27d08e32b5c9383e4abaec0d196e60a22
SHA512 69d7a55d36e1ffed5cf505a2401ccabb2d6cfb7398edc82f7a122fc197e1ee8a59b882add73b99086aec2110674320a8eda88ecf534b80ec4de5d0ca3c389a5c

memory/2860-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2860-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2860-54-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe

MD5 93a9fc448f5d6ee357b877ea45c728b1
SHA1 9117410d638153298f2ee16e6c9f54dd0ab95533
SHA256 6594e2680d17afa761e0dd6f2e9c1353ce5a7918e381e649ab602d263ff446bf
SHA512 b5a0ac57794cb9ef8b96d22644df17df73cf930b86d0c3be781a8544c2c6e482f075c56dfc7c15fb93eaa34558ad533f8f099d8d1055ec77bdd02a46d97faebe

C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe

MD5 dce665b9fcabb81b8993ea1ffe1a1545
SHA1 76ffa54e06e7cf6c30b80b1622c3688322f072f2
SHA256 378589590951cabf226b9d40da1c3809eb391cd976155c15e39b6d63e80face2
SHA512 c329fd1637d204922f2e144f4c2cf74791df3dcf7069e140f42620b1bcc020b8a5904e37a43f3caba0bdf7759872b5f6c2e6c340993db77a1e9adbada0f71883

\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe

MD5 090bd842e2d09d1d2a5645a92c0b2f62
SHA1 048f1bb3ec59cf58f19de66f5ebec38b60e35327
SHA256 6390a49d9dd6db8b3aa5c400f09b2ea3e7416d4ddc1b29091e64128c73a979ce
SHA512 e380a72e672ed8944152ff2ad4cfdd9385bccf8544b1b51c091b39a937fe1fe7a5969733da383506b52c704ba20e18ccd1ce56a299afc8029ce0599cf7d0b884

\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe

MD5 b3d165d49705ef1bcaaef95d51184a7c
SHA1 86f1dbad38aa09e58972f5b1f02a9a2d6216a74a
SHA256 a7179f0c3353e1341c7fa282f648325d250ae82bb2f6df154cee3d52de1b8ec2
SHA512 f7ab03efa5f199aeaf76a6af20340fc38ead59b5dac127a16383112b674d33c0945686a25097db19236220b64de562dc691e5a7277557b3c72126b91c4b10e9c

C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe

MD5 ca3917b2e5bbdb9e5734fe725b5b80a6
SHA1 068fa9764296f639d982053e84016230370dd5e1
SHA256 7e57d1e8d655eddfd1567867e662caaffdfd4864d9a15098f83f02569502fe7e
SHA512 c7aa7e06505c4c029db5c36fd43a1bdff654cd429b5f34dfd8e204b857c157b249602f30c6413f8d5f58e36058d109c87fd74101f1e6df25fbdc965c2c086e73

memory/1260-78-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1260-80-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2860-79-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2168-74-0x0000000000230000-0x000000000027B000-memory.dmp

memory/1260-75-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2168-72-0x00000000008A0000-0x00000000009A0000-memory.dmp

memory/1260-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe

MD5 93ccbec018a8da1d4e271098e5849f98
SHA1 e9e3314da0018e70bdd94f421956c7425675af4a
SHA256 e349260f7da99382e6f914bece0036c95a0ffe91d70d9490c9d82f2c115fe52e
SHA512 14b23ce71769384920e3c82dd232ec22b2c67c134be893682c0a29f05ac3c288dcf5f8df5b129f9b4dacd71ba7e2ac60923c6b2f188881888a3718bb018d5f60

C:\Users\Admin\AppData\Local\Temp\Tar3E39.tmp

MD5 65846057126132b51335657bd3cdc8e2
SHA1 88caac5b2223e54cd73e4084ee84dc5649ab2450
SHA256 ab393b8e107c7f9012adca3669470ca7153795812aa9685e9b840c395561e828
SHA512 a767fd47a737ac0e93c08cdecba1496385c6890f5e857563b789f4dd793e7a4ae89eb46330de4772bb4de70085416c692f5273a322c2ec14d65455b0f6834f78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba4c6b82e116d3510d2f2e792f38d2a6
SHA1 e440b6a5043730dc8bbc96d225dae5e14e62cd08
SHA256 993ec3c8bf5f56753989067b1bc674e570e09040ba380a18b6a9fe2f7f5d4883
SHA512 6ba2047df7e5022f2d2f7b39288c4aae3704b71b1dd1aa4674fe651c521eeed2ec0a1e1d569c8f6714207b2dd6ff32a833869fe2ffe9fafecc1ecc87f89899af

C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe

MD5 f49397aceec33fd12c85398ae4b6a68e
SHA1 0716633105ae3cf692c7fa6f9d0910c2b78ab1a0
SHA256 28cf4f95d16427d570b99ebd885f1fdf75e21871fe13403f340cbc9bf9c59211
SHA512 83606b8907b69bcdc951939d1b8291809488d53a85306c585df083fa121d01bd06175a6f25594c08396e8c91d79df10c8eb35b181d560a7da99d4006802545bc

C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe

MD5 b3d7a44dc29a1b69636e5e6aa6b0bf9b
SHA1 c8f7188cd3e7e90a2413b641ba4356239a734b1a
SHA256 d20851dc0adfcfc1349b4129d1515dc7e366e586190de2150a847f9843c0f43e
SHA512 87a7c1ba21d256d12e1416f183e7bf60f0e898dd3e52ab5b253c0ed4c987b2fd9d28234dd7bb3c2a7787af5c9e7d5254ca58044458d1b700d8ba8430f6acbd26

memory/2860-207-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe

MD5 bfd0bf66f7c0b8ea98444d781d01d358
SHA1 5f420ebc36be51b742f18154f0469825522d2ac2
SHA256 13c3ed37541dd8d0894eb63a9ebbac85ef14fe6460eb2953be70624d16c5eaaa
SHA512 1a740168b63fa66c5b85a930eea56eb789d91c9013c2e402596a450779704aee0db608d388ea4a76d35512c7d7e6f7ad65a39f7211f17b171000c94460b726ed

\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe

MD5 1f6abdb53e15615605affb291438cf2a
SHA1 bb58a4d9b6d5e4a8b2d959373ec46ccc7d547a52
SHA256 8ab9396a2aa1b31d98c4ab9cee3fa42f3354f5e49da0bcde1a1cddba8239d4ba
SHA512 87e40aa79aac63576c5e2fb06d7bf54fdecfaf12d298223dd52f46091f1c1d19d1caf74c1c371375603ff8950f57c07b1f6e6f60aca3c831f8e96a9ecb3dc59b

\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe

MD5 3eb2466aaa27955834a0e3a3ee2980cb
SHA1 abab7a747dae1488d713abf421c6a1e746b017d2
SHA256 5fe961ba9c0621da1c7660b411b5126a8785fa6ce97f034dae3ec25166f34ff4
SHA512 5bce2df344a839ce41fc1d58d0494f160a302c531e5bdc6f916cd92f8ea6342189dd219a3b6f8e3f6fe0ab84f1d60d1540dd4ab02780e366a3669b6b1c18dfb3

\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe

MD5 af3c3fa08c34302db34aea22e12fc51e
SHA1 1fd9662ddba3049803289c23cab6493b1d5efda6
SHA256 4a9b3f548e9256cd25e9273b5ddabbc5a815000d3eb8d02442fa6279f5334dd2
SHA512 0bfe2571a4e65ebf3cafa5ed5c5c54013bd5faf351cea5629890357968a96b970a322cc97533243c379c2d0d82a845f5166ce417b897a377f32e76358e659e88

\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe

MD5 aa4cb72142123c666acec1ee51c694e4
SHA1 df2d4fc0d6280173b4487250d1facdfe3fec5caf
SHA256 4fe24a2bb591d887594c6200dede75610149326ff2d31c2bef7480017d991f01
SHA512 fb0c8e9f3093eb55ed172f17e47af27921202dd1e0c066cda78be5c2460ed9c77f5972716760f203f8d494a44897d0b4032aa61949fa194afea57e52c634b6a9

\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe

MD5 3adcf124ba7d6ca067ea4c6305a6679d
SHA1 f34c7022d1f3b1006069619b4abbb9a393065d69
SHA256 2a7363910cb34de5712dc8c0a7bca16187621fd6d7911d199aeae3847152571a
SHA512 cef9703fa3c00a21948285acd71b5b718206cddf2443b6c7361b48e7c5d6fb0e18662d2526284cf1cb9d9bfabe9c3ef621aa033aadf93663a7796fab2511c3e9

memory/1964-234-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe

MD5 0c74f8dc892bf829189aabcccc5f0ba1
SHA1 fb894c4d0ec5c6a8ce0f309d01d0686bb94886ee
SHA256 09a8265a74b7380966d12e8d0c5e1292ef9117423b9f2fde70c17bb6a271fb99
SHA512 b3dfdf5eaceacb9fb3ed9fdebf0d3f4faf34f12cbfd1d42e7c3fa480d3de5e1008a2e44857723a5119ffe69a1863c5985455b81bfd598d71db3e5e73e2a56970

memory/2248-237-0x0000000000A02000-0x0000000000A13000-memory.dmp

memory/1964-241-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1964-239-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2248-238-0x0000000000230000-0x0000000000234000-memory.dmp

C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe

MD5 73c744361d663544a12d1eb10488f451
SHA1 33f09811da0beedf347ae22129502e4cbbf8240c
SHA256 b7f9d45530de09859ba7f6eb495f112b001c7d0bd0f5765dbdd64950ccca3f24
SHA512 257c15fc9cd5316747ec46edd3c4643db1f08de307adb7c150c85d63d75074193841093613481382f2d1fb80acddbf9d543b582d7625fe2d55994b172381c0fc

memory/1260-244-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 19181f57b86b820be337e9f14c3fa297
SHA1 4c37b5540f872011108971ca3053c78fe3259b2b
SHA256 09f347e166b1cd9ba0e146b991bd2a19afc1398348d15f17b553c7db295ca1aa
SHA512 cfa0f3f5c983f107da90b158f9f828f99b0e725722ee3af1e66e06b6912207f79f419e9a0b6854985ee122058385d573b56dbc9626fa0f39a65dae64ffb6d2a7

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 dbe8a2a8024004c88fa59bc166ee4a1c
SHA1 1fb8cd20bf35511fe717bfa79e7dcb9df41562ed
SHA256 616f87cd6c33bb6e8ed9a724df6d07ef2b0555be28008f1b741558400486a1a7
SHA512 547f60f57dc63b56f75205b1bca5888ce971503730609e3e3b63434ce384ab1d7ecc4f5bc98c384e6fd8ebbbf14f98a111098c96052eba604523073a50e9fc1c

memory/2676-256-0x0000000000990000-0x0000000000A90000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1464-284-0x0000000000912000-0x0000000000922000-memory.dmp

memory/1080-309-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/2924-340-0x00000000009F2000-0x0000000000A02000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 b362789135c5db0f5d4565b4538e12a4
SHA1 d5b051dadc4bdf6271e10453114aba23512239ff
SHA256 57dcdb835e0de94000d36bbb127d701ac96bc5659fc4048cbe016cfc5e2dfcd7
SHA512 438f75b83005786d412bbf0c867ad3f230109332873b32dc7fa82d109d565722b6c9f1b08992b51a8ca948965fa5425f29cee993781219634a5546a7037fe165

memory/2768-368-0x0000000000C72000-0x0000000000C82000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 a0432f52c06407f511b2de017af7c49e
SHA1 2233a133cca47bfc8c2db675a40860f14f390c72
SHA256 48e04756e9d5e48119892235b7cfe7c1848699bb110ecf1369f7ae62cef6fefe
SHA512 3476b772c6161e61d4595e8ef479275d3ee265fcd9c7178adcf31c9803f2b38e47e1f611d2ee3b0090cc65da1bbaa0e7d5fc90cb6b7ee8759386b9ee065b8e99

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:52

Reported

2024-01-15 04:57

Platform

win10-20231220-en

Max time kernel

296s

Max time network

296s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\585116ff-9e61-4b84-8672-c176542c915b\\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4328 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 4328 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 4328 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 4328 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 4328 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 4328 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 4328 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 4328 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 4328 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 4328 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 312 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Windows\SysWOW64\icacls.exe
PID 312 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Windows\SysWOW64\icacls.exe
PID 312 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Windows\SysWOW64\icacls.exe
PID 312 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 312 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 312 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 1540 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 1540 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 1540 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 1540 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 1540 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 1540 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 1540 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 1540 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 1540 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 1540 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
PID 4812 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe
PID 4812 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe
PID 4812 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe
PID 1528 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe
PID 1528 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe
PID 1528 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe
PID 1528 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe
PID 1528 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe
PID 1528 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe
PID 1528 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe
PID 1528 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe
PID 1528 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe
PID 1528 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe
PID 4812 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe
PID 4812 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe
PID 4812 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe
PID 1280 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe
PID 1280 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe
PID 1280 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe
PID 1280 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe
PID 1280 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe
PID 1280 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe
PID 1280 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe
PID 1280 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe
PID 1280 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe
PID 3036 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2060 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2060 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2060 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2060 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2060 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2060 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2060 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2060 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2060 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3796 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe

"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe"

C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe

"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe"

C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe

"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\585116ff-9e61-4b84-8672-c176542c915b" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe

"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe

"C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe"

C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe

"C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 1900

C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe

"C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe"

C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe

"C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
KR 211.119.84.111:80 habrafa.com tcp
KR 211.168.53.110:80 brusuax.com tcp
US 8.8.8.8:53 111.84.119.211.in-addr.arpa udp
US 8.8.8.8:53 110.53.168.211.in-addr.arpa udp
KR 211.119.84.111:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 196.0.202.116.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 121.150.79.40.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp

Files

memory/4328-1-0x0000000002110000-0x00000000021AF000-memory.dmp

memory/4328-2-0x0000000002210000-0x000000000232B000-memory.dmp

memory/312-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/312-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/312-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/312-5-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\585116ff-9e61-4b84-8672-c176542c915b\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe

MD5 48b85455400096f7d930911abbe46a65
SHA1 bea2888f3cd2ea8676ce646e16d50d336e6df729
SHA256 b603024519b976c837d8167dac15c2a0ae1fe9905a49304c341898b45989b783
SHA512 1fa6c637666f0dfc2434279705b6cd4f82720a2f668fcba84848c16215286633baf18c56bcd16bf7fbe2992f36624cc7b42ac87dfa221187d7e8746ca0746643

memory/312-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1540-20-0x0000000002140000-0x00000000021DF000-memory.dmp

memory/4812-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4812-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4812-23-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 b8707bfeb84a09b164e775df63f64259
SHA1 cd21c87e47fddecea3cdda868056f7b3aef98755
SHA256 61c9517cf9d89cdceb31ef167220083caead72cb8e8098e08fa0f4734eb46004
SHA512 49a66036e35db78a0c1bc76b4969f9c7cde330537f1f0c397d4acf8b979f34e65f8e2e7ef5ebaeb5b15d0ca1d9f3eba35da53ca50ddb1ae3b98ceef89e376f1f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 757a07870e69f57f149145e1d4a4489c
SHA1 318a8db2745aa47ed357613926488370ee3d47d9
SHA256 b549d996e99b8431e3154cef5e1db89aa5aa170a9ed8129a88f579e05611fdb4
SHA512 6bcabc6ac157aeea1eb0c3965e856247c966a8de7f60b867125c891a0c31b583a57d5a721166bf5c16dafd4d41fc1a85407a22fd070baf5ea957ffae1d43746e

memory/4812-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4812-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4812-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4812-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4812-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4812-38-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe

MD5 c4070da9f9b0581171af16e681ccdff8
SHA1 3fb4182921fdc3acd7873ebe113ac5522585312a
SHA256 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512 c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427

C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build2.exe

MD5 7ac1437359ea9ecc0d046ee6c34ad527
SHA1 0aa81e1e4990744597f306923aaf826d594378af
SHA256 4af1be3ae2ec6679b5cf1d938de4cd061070ca66570e085e4c8ba6d7c04e3ad7
SHA512 34b9f22235e4dc607e5b3d96e2b822c64493150ebe5cbefb32f3f962c66cb946aae2401dfa3a69825cfb7d94c2c8ce2bcacd56bc29828fdf8191a73671e2a56e

memory/2960-47-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1528-52-0x00000000006A2000-0x00000000006CA000-memory.dmp

memory/1528-53-0x0000000002090000-0x00000000020DB000-memory.dmp

memory/2960-54-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2960-51-0x0000000000400000-0x000000000065E000-memory.dmp

memory/4812-64-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\92f2ab59-ce21-44ad-b703-80dd3ef88536\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2960-67-0x0000000000400000-0x000000000065E000-memory.dmp

memory/3036-71-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1280-74-0x0000000000979000-0x000000000098A000-memory.dmp

memory/3036-75-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1280-76-0x00000000008E0000-0x00000000008E4000-memory.dmp

memory/3036-78-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3036-79-0x0000000000410000-0x00000000004D5000-memory.dmp

memory/2060-104-0x0000000000A80000-0x0000000000B80000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 98e9c79f0850f9fd27813ff508ebdf6e
SHA1 ef4dc6f8b95cd93187772221d782654874c3b02f
SHA256 db37610e462afc67ca1af1253e097fca18e4ee00706950fbfa1f9e8d07eab01f
SHA512 734c80dd74bebdafef2784c29dde86f083908b2ba4143bbfe4f7f9676a3a02082904bb87f6dc3dfb909191b844a8e9bbb9eda70d68e11d251f466c25a52e8d26

memory/1800-128-0x0000000000AE0000-0x0000000000BE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9fd4860b8a74aedf22a69df7196af20f
SHA1 bcb51626359dfe12108d0d350aba604dc0d5c251
SHA256 91ae6d89ff0b9ec7160d7a949aa0afaae1732647a4120b4dd55ff5598212e86e
SHA512 b5ce9297c3b4f76d32fa0fa9eb8c68d2b51d61d4b5fca83211386080c6382414e715c2fc437be73b0177ba846cd79a871e2f7af595f15e6ecb7c7b60ed3129b4

memory/4656-155-0x000000000085E000-0x000000000086E000-memory.dmp