Malware Analysis Report

2025-08-10 18:24

Sample ID 240115-fj5ensafg7
Target 8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9
SHA256 8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9
Tags
djvu vidar discovery persistence ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9

Threat Level: Known bad

The file 8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9 was found to be: Known bad.

Malicious Activity Summary

djvu vidar discovery persistence ransomware stealer

Vidar

Detected Djvu ransomware

Detect Vidar Stealer

Djvu Ransomware

Downloads MZ/PE file

Executes dropped EXE

Modifies file permissions

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:55

Reported

2024-01-15 05:00

Platform

win7-20231215-en

Max time kernel

299s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8268814b-eceb-4584-95c5-fd9651381e30\\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2256 set thread context of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2560 set thread context of 2424 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2144 set thread context of 1528 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe
PID 2852 set thread context of 824 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe
PID 2916 set thread context of 3020 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 808 set thread context of 2828 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2600 set thread context of 1904 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2648 set thread context of 1500 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2732 set thread context of 2368 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2256 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2256 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2256 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2256 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2256 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2256 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2256 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2256 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2256 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2256 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 1992 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Windows\SysWOW64\icacls.exe
PID 1992 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Windows\SysWOW64\icacls.exe
PID 1992 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Windows\SysWOW64\icacls.exe
PID 1992 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Windows\SysWOW64\icacls.exe
PID 1992 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 1992 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 1992 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 1992 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2560 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2560 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2560 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2560 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2560 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2560 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2560 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2560 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2560 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2560 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2560 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 2424 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe
PID 2424 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe
PID 2424 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe
PID 2424 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe
PID 2144 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe
PID 2144 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe
PID 2144 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe
PID 2144 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe
PID 2144 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe
PID 2144 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe
PID 2144 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe
PID 2144 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe
PID 2144 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe
PID 2144 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe
PID 2144 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe
PID 2424 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe
PID 2424 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe
PID 2424 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe
PID 2424 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe
PID 2852 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe
PID 2852 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe
PID 2852 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe
PID 2852 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe
PID 2852 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe
PID 2852 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe
PID 2852 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe
PID 2852 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe
PID 2852 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe
PID 2852 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe
PID 824 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 1528 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe

"C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe"

C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe

"C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\8268814b-eceb-4584-95c5-fd9651381e30" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe

"C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe

"C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe

"C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe"

C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe

"C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe"

C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe

"C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe"

C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe

"C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1464

C:\Windows\system32\taskeng.exe

taskeng.exe {3340BD73-419C-43A9-9AE8-1D1AFD7335C5} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
KR 211.181.24.133:80 brusuax.com tcp
US 8.8.8.8:53 habrafa.com udp
MX 201.119.97.253:80 habrafa.com tcp
MX 201.119.97.253:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp

Files

memory/2256-0-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2256-1-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/1992-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2256-3-0x0000000002260000-0x000000000237B000-memory.dmp

memory/1992-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2256-7-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/1992-8-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1992-9-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\8268814b-eceb-4584-95c5-fd9651381e30\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe

MD5 565c475cae0e0db1c7f91152d5b5e8f2
SHA1 11af57d84807b03b63ff723c67e2f6cc7d7a1bb8
SHA256 8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9
SHA512 aebefd3c27131765a0763cc58032fabf98521e63507b2b275754eeb10565b5a3f4a598bda0dcf2e1df269493cfb456607b45142a0bb904ecf4d48c60907101c4

memory/2560-28-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/1992-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2560-30-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2424-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2424-36-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 00a04ef073b717a5f9f243a07b6a0778
SHA1 d2d797aa88a0e8154e99e9d570b46933d99682ec
SHA256 b1315d5a90f25e76f77eecd619b5c4f407d30760e94514f40a0a3f112595a12a
SHA512 1dd489f8163f6da6640a46b6bedb38d036ee88437b23cf7b5d00887d578a4e2da18878ae6e8fd4aaaba2b28412132d8b238169c0dbddfcebfa767a1b085047be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 6289fae3ab603fb4bbe270375e594ca7
SHA1 739a20bf73206fb8034f4b167642c8e1663176b1
SHA256 004b2cf168e540cca660858526d02cd9ec285c7eff0bdc886b56c0e5906d4f00
SHA512 a7f7f6a744243155456032fc6f900c6e9b1bd105d66edd777873a9c95d10c04f1b8b358c43ded100436a707448300172344bbcb87d0911dfc03599d9dcc8d7ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\Local\Temp\CabA341.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4f6717b6e4da85e5b2e3034ae56c772
SHA1 05f0cbf878796f49a353885fb393259d7db0a1da
SHA256 765abbe4dd76f9ba381a9fd8ec170b30983fc7a5a80dc7f13cd2deae2f76ae0c
SHA512 f2ea8ec59d2de9ff9b6f55adc870d6bb6a46c8efb19f2d3c52be33ff4327ea68fa69fae0f40666f9ccd96723efda3df73976e96bb5da7a4df72458411b9eb1c3

memory/2424-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2424-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2424-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2424-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2424-57-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe

MD5 c4070da9f9b0581171af16e681ccdff8
SHA1 3fb4182921fdc3acd7873ebe113ac5522585312a
SHA256 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512 c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427

memory/2144-70-0x00000000008C0000-0x00000000009C0000-memory.dmp

memory/2144-73-0x0000000000230000-0x000000000027B000-memory.dmp

memory/1528-75-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1528-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1528-78-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1528-79-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2424-80-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2424-91-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarBCCB.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2852-167-0x0000000000920000-0x0000000000A20000-memory.dmp

memory/2852-169-0x0000000000220000-0x0000000000224000-memory.dmp

memory/824-170-0x0000000000400000-0x0000000000406000-memory.dmp

memory/824-173-0x0000000000400000-0x0000000000406000-memory.dmp

memory/824-175-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1528-237-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2916-247-0x0000000000230000-0x0000000000330000-memory.dmp

memory/808-271-0x00000000008B0000-0x00000000009B0000-memory.dmp

memory/2600-300-0x0000000000250000-0x0000000000350000-memory.dmp

memory/2648-329-0x00000000008A0000-0x00000000009A0000-memory.dmp

memory/2732-358-0x0000000000290000-0x0000000000390000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:55

Reported

2024-01-15 05:00

Platform

win10-20231220-en

Max time kernel

13s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e83253ac-c548-4ae9-ba5d-daf40a11c3e7\\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 32 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 32 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 32 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 32 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 32 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 32 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 32 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 32 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 32 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 32 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 5096 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Windows\SysWOW64\icacls.exe
PID 5096 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Windows\SysWOW64\icacls.exe
PID 5096 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Windows\SysWOW64\icacls.exe
PID 5096 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 5096 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 5096 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 652 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 652 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 652 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 652 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 652 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 652 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 652 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 652 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 652 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
PID 652 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe

"C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe"

C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe

"C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe"

C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe

"C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\e83253ac-c548-4ae9-ba5d-daf40a11c3e7" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe

"C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build2.exe

"C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build2.exe"

C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build2.exe

"C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build2.exe"

C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build3.exe

"C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 2124

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build3.exe

"C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build3.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
MX 201.119.97.253:80 habrafa.com tcp
US 8.8.8.8:53 253.97.119.201.in-addr.arpa udp
KR 211.181.24.133:80 brusuax.com tcp
US 8.8.8.8:53 133.24.181.211.in-addr.arpa udp
MX 201.119.97.253:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
DE 116.202.0.196:10220 tcp
US 8.8.8.8:53 196.0.202.116.in-addr.arpa udp
DE 116.202.0.196:10220 tcp
DE 116.202.0.196:10220 tcp
DE 116.202.0.196:10220 tcp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp

Files

memory/5096-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5096-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5096-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5096-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/32-2-0x00000000027C0000-0x00000000028DB000-memory.dmp

memory/32-1-0x0000000002720000-0x00000000027B3000-memory.dmp

C:\Users\Admin\AppData\Local\e83253ac-c548-4ae9-ba5d-daf40a11c3e7\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe

MD5 a3790a729a8151b6ef93264c3453a43b
SHA1 49a5fd7ec7d173e951482399854b4d88e9b4ec97
SHA256 9bb8f59333ce6ff89161dd00816ed4bad8522954e57fa2b86ceee8e585a018a0
SHA512 784123dc09c0fbf28d16e9b26bfa3e334474a816c3e93fc3d6dd2c9be607ea48baf7658f24e3518190879f548834aa2e0faeb1e47581ae1ca5ec0700f2d66c01

memory/5096-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4376-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4376-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4376-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/652-20-0x00000000023D0000-0x000000000246A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 ef951804d83d42e94093d6f68c07f9d2
SHA1 864e4060cb37218705d153ff2c8d553fe9b318c2
SHA256 d6ad7cd11a8ed0a8aaaf5517cf22e56ec54a0a191c1bf51d0ef3cacdb8be6640
SHA512 52baa65e1282b5a639bef6d0b1f807dda888df48832a8ee85d05fbc1623e5aaa3fb25b6185f8f0207ed67cf87465d8bdcc76f24c892c6867764afd2d51bfd651

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a5880bb558f251bf49601bdbc890a20a
SHA1 f43fd9888c04ce6ea577d11091ec0a677a9be5c3
SHA256 1ac8406c325ff9be59cda63c503f97f6d3c8755fbc0e4e15513005b53e16727c
SHA512 e619f75a15b0452f3d341e3da5a4c932983e4d2cf11d47c06e722fc942627fad203c157c439fdede7f212021a2700628386873018b194a394ca154139faa8b8f

memory/4376-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4376-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4376-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4376-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4376-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4376-38-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build2.exe

MD5 d7013d4a16dcb0ae1c0ac2c19efe97ea
SHA1 8d5d3fe7ac2185590945ddc1a9d2f57c2adc1798
SHA256 5f14916a8a0774595b499bad71b3b7b99b975988c385d1f6ed1da193fbd55e8b
SHA512 3f57ec1b2846268a23168274961688895e2237fb0a3436f05b8f646c8ac06346930768832cfd8e0299da00a3901b7d0cc3ae42b363c11451a99dc96cc39e936b

C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build2.exe

MD5 227bfb0951a0d2f67a8a6e5aee226287
SHA1 cf91ffd1b9c0d31376b4f4b418f7749af3b1ae83
SHA256 c94b13569cd5a65aca14485be5c22d6d7d50ecb00168225c85427be51ceb0b41
SHA512 2105a7c8a4092ab0c2475e909abc541b68835557a310f28c45c6614c9ed0b8438f482abdfda2558e240002b0520e33e519e9189fbb9b2c25727db2bfc2cbd288

memory/3096-50-0x0000000000630000-0x0000000000730000-memory.dmp

memory/3096-52-0x00000000020D0000-0x000000000211B000-memory.dmp

memory/768-53-0x0000000000400000-0x000000000065E000-memory.dmp

memory/768-51-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build2.exe

MD5 dc94417658b1f709196f99a4aefc5d07
SHA1 eee92c99e882bd027724d07397fbf2be12fad50c
SHA256 af3af3b808598bd7c394873d6fd849c86b7b065e46389711924381da30791311
SHA512 bf3fc3cf9cf271d928a9d7c81f04204fee8b91a76b02a8b99f59fcdd57e26b1fe656dd443cc002d1b841ca155de7bb41053514d9460ea72dc9b75cd150664b16

memory/768-47-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build3.exe

MD5 2185ec6ff89c19bedd26198d18c6fdfd
SHA1 ec9258ae360862f5aeb4f9002162fdf0d32750bb
SHA256 ec7529430a9fa15bb599f5d8c28f61f3bf124a40bb8bfb5565828f5c8cb145ce
SHA512 011520c59b9cd6b27197fe00dc14ead319a02b6d2fb89693624ce322b78d3c2ae3371d946d9f66461994afb4248f6f563ec190a1558fe82493eaa75376857232

C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build3.exe

MD5 8b6a819c6926597dfa7529b692d7a6cc
SHA1 50c535e9cca464afd3a589d2231d87ce417d4312
SHA256 b9cb5501cc2d257e049e1757062523c7f9ee5a85d57d46538fe492125befd26c
SHA512 dfd28b270d99ad89f8ce1df9750b92ff558f73fe2448bf182b5c1c05c7b180bb29175eeaf5a7c918791d64b36167fc1a6044f1aaff838e02e878782f5f6c0ba9

memory/4376-60-0x0000000000400000-0x0000000000537000-memory.dmp

memory/768-66-0x0000000000400000-0x000000000065E000-memory.dmp

memory/3096-69-0x00000000020D0000-0x000000000211B000-memory.dmp

memory/768-68-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1428-74-0x0000000000909000-0x000000000091A000-memory.dmp

memory/516-80-0x0000000000410000-0x0000000000411000-memory.dmp

memory/516-79-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/516-77-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1428-76-0x0000000000860000-0x0000000000864000-memory.dmp

memory/516-71-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 cd96202c79ed00694ab8e766210e2273
SHA1 a4b3ce543f04d25ea82d32761b5740429abc8f6d
SHA256 53aed3f1047e9c5ab66b3b859540821c274ca25b0947e68dba892f87a806f91e
SHA512 aaa2856ae95d4ab556886c12c3f48607c968c9e9b4364e07d4a52e75dc7d9eb7c16bcde2e2250bcedb6e691da9256f8a7287faab962cac5cd2952c295ea12ba5

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 bc9eaccb92834aa657c018db83528f96
SHA1 68dd4fc506f06e5a5def07d963b660f2af5b600d
SHA256 4c753d8ef6d03dd4101bb9fd3b89e569b6d1cbea6a4970080ed12014557c474c
SHA512 5316c86b8f66d56f10aa765a2e33df754d0a87742a4310abd9c93ea9a4e3bc624075f07dcf6fb3aac8b57a4f911f603303bc7df1a251ada06592fa0d104a4e1b

memory/2316-95-0x000000000080A000-0x000000000081A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 e6e191ea6c57f0ab22152f3aec61e771
SHA1 d31c67b48d6e4ebe447bd1ae0a00c15a35abbc3d
SHA256 d12b26bdd97c860c729088bab2de6db667c562e023eb2cfb5db536146accff2e
SHA512 0f493586bbdfd65369a1c918fa2e42e03030415091b64f0df80662ff1f63a1bd9a5b2ce0f5855d3957bd2f95d56888cc597234d91c370c8e34eb091f05eb1baf

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 3d5a035c7e9ff3d5e8e60982fa667810
SHA1 f87a8286c0046ef256d676ff26ea26162d0194bd
SHA256 f54febd75150d67815ca248c80ad9833e1f3f3e699b49694d1010d018fe5c6cb
SHA512 f43287e118cb0d20c63ba1d4e2eda5cbd9ce221a8f32131c6444088a054a5812d0d7ade930955be8637c6923d83bc24a8890e91f0ff9597716b5758cb974112b

memory/532-123-0x0000000000410000-0x00000000004D5000-memory.dmp

memory/4672-120-0x0000000000A1E000-0x0000000000A2E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 d35c806c95b926208b06f305860de044
SHA1 fd111b2072749c0e2b3f1bb7102e4fbcdd8b931b
SHA256 722325dfc7e0a3d8b9c5bcf978e54f9a90a83ffa5d14372a51dc7c3609fee061
SHA512 cb5f66f83bd6a8ddad6d740479d17352d3a8249ab6fec7ea0ee071dcc7f9855ed378dee61bb65e92d272e3fb8187282ce08d0694550cfa610bf6e6508ec5b6a6

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 7ac590b0f60109c6885297639b399aff
SHA1 5e3d225b12fe3786f6fcd5b8933361fbaab00448
SHA256 d29b62f633ee16d0014125eaab6bf7a7b51f2a2e48434f3daf8930d19581909a
SHA512 35883d148b45a09c8c7e45136b2b4cff44c8f3bec8bdf86659757fdd2e83425c8b80454cbc43fe33507d647abb6328400cfc8750b3525439ad15bea0d18c059c

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9f2a96367a52c87cfc6a9126f452cc2d
SHA1 6df22db4fb95700b0f121bf2e6d345ff9075079d
SHA256 d19625b085e39f32ee3a9740cc622b0328aa321d83cae210599351d1402a3f47
SHA512 d72cd533c12a1d435e43d8f2a7a31b1595feaa8069bb39a99e4467751090e57f8f6fe0b262a5a78ea5bf3ff55e35bf3dc1ab653468fef7527bbacf5a505e967d

memory/528-148-0x00000000008F0000-0x00000000009F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 6d6bf27d4f8bcf7afce1ade269983408
SHA1 3de8af0ea8e84758c0f618d02240b35e867a90ad
SHA256 45d6dab0457ca8013f56a442a594618e0e8cf5c45b8e58debcc9fc12d47caae8
SHA512 919f5aa13479cda4df9964cbbf296942368140993877ca1dec1485484ca9708ab2830552a3c468c8fc5ae1160bc9e8180481211d3453d4d817a5a898eb4bafd2

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 855a6c01739b0c34131081b6237d9d8b
SHA1 edd4ffb04c289a036cdebb5cb8c839092d7a6e4c
SHA256 4bd0bcdcab226b0c7498656543d9017925553735170dc8ce88e628782063806e
SHA512 4c01ca3b17fdfdad6a245c9d3ff978bba0c96e0c87b64109e33e559e4de9ae321a8864a6a5cd28795a40aabc2b620de2a636a03b5af8a1bb7ef45bf2337fa320

memory/1396-171-0x0000000000A60000-0x0000000000B60000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 03a92b8a9d36fbf94fe977bbc3893658
SHA1 9d6ec4eee3f47ccc7ae0d1b22238eeb6802c69db
SHA256 647c32d6db0656b885170580bfd380bd8bc12dd8cc98014d2a3f00d9af38f01e
SHA512 d39d719dfafeecf9cb728b9edd31655c8c5f42e6f28c8857a44e82cc447d9e81f6535ce1a87a29cf5e30a21ed57d14ea76fb123dfd2932fd2c7999d327f55de4