Malware Analysis Report

2025-08-10 18:24

Sample ID 240115-fk1swahgdm
Target b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5
SHA256 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5
Tags
djvu vidar discovery persistence ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5

Threat Level: Known bad

The file b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5 was found to be: Known bad.

Malicious Activity Summary

djvu vidar discovery persistence ransomware stealer

Detected Djvu ransomware

Vidar

Detect Vidar Stealer

Djvu Ransomware

Downloads MZ/PE file

Loads dropped DLL

Modifies file permissions

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:56

Reported

2024-01-15 05:01

Platform

win7-20231215-en

Max time kernel

299s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\356c2969-5b64-4da1-afdc-1539ee879782\\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2136 set thread context of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2468 set thread context of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2168 set thread context of 1628 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
PID 2532 set thread context of 332 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
PID 3012 set thread context of 2644 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2216 set thread context of 1924 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1312 set thread context of 340 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1548 set thread context of 2080 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2136 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2136 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2136 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2136 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2136 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2136 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2136 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2136 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2136 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2136 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2824 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Windows\SysWOW64\icacls.exe
PID 2824 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Windows\SysWOW64\icacls.exe
PID 2824 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Windows\SysWOW64\icacls.exe
PID 2824 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Windows\SysWOW64\icacls.exe
PID 2824 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2824 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2824 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2824 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2468 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2468 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2468 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2468 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2468 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2468 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2468 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2468 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2468 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2468 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2468 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2620 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
PID 2620 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
PID 2620 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
PID 2620 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
PID 2168 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
PID 2168 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
PID 2168 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
PID 2168 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
PID 2168 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
PID 2168 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
PID 2168 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
PID 2168 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
PID 2168 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
PID 2168 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
PID 2168 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe
PID 1628 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1628 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1628 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1628 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2620 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
PID 2620 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
PID 2620 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
PID 2620 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
PID 2532 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
PID 2532 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
PID 2532 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
PID 2532 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
PID 2532 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
PID 2532 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
PID 2532 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
PID 2532 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
PID 2532 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
PID 2532 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe
PID 332 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe

"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe"

C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe

"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\356c2969-5b64-4da1-afdc-1539ee879782" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe

"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe

"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe

"C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe"

C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe

"C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 1444

C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe

"C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe"

C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe

"C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {463077D9-47CD-4ED0-956B-B88E524C77BF} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
PA 190.218.35.224:80 habrafa.com tcp
MX 187.211.34.211:80 brusuax.com tcp
PA 190.218.35.224:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp

Files

memory/2136-1-0x00000000002A0000-0x0000000000332000-memory.dmp

memory/2824-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2824-8-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2824-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2136-3-0x0000000001F90000-0x00000000020AB000-memory.dmp

memory/2824-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2136-0-0x00000000002A0000-0x0000000000332000-memory.dmp

C:\Users\Admin\AppData\Local\356c2969-5b64-4da1-afdc-1539ee879782\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe

MD5 22788ef65dc39ffef5312db57b0c9310
SHA1 e836c5e938eff1179dc6b774a09d3e7e90265593
SHA256 9b71de9cf866b5b585d1e8c174c8c2048736c1a35cbceec1dd57007981e531c6
SHA512 29b0e053cce0f6e73085e968af1c15c4b0a555523ee429947b193097d3506e3ceda5d2a4aed84aecfa8539e843ae845739fcf13110b069292e9c75ed8b8a7498

memory/2824-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2468-28-0x00000000004C0000-0x0000000000552000-memory.dmp

memory/2620-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2620-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2468-29-0x00000000004C0000-0x0000000000552000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\Local\Temp\Cab915.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91462fff5e024ff68587cb99536df527
SHA1 32d8a51b9b33fb8f073a3e8294caa54f1ce9c0a3
SHA256 cf8e8a70e603049d21d5b49f14c1ee1390695208381466caaf3d3298340ecc7f
SHA512 127a30d18faf1ca1940f6748b592277685c1eb5a79b9e6de7bd14061a3a0610eb8f23d0128cd827cb392d886ab2c5ebfa6be54bfc225bf465809d72e4d9f2938

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 d6aff1f132ae20154c85d34d81f08df0
SHA1 39d4255799529b1810b2cedff76468deffd62361
SHA256 2dfab86586ecf066e64645e25c303a993bf8dc553a123670acd7162273c76f5d
SHA512 4fb7f8b3dc0ded44af80fb35fade0611fd021d555b95fb8d2bfb7233be7c55b8e38c6e2f742f4ad952b112e6da744300b7618dd07db8e67cefb488fca4ab2c32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 4862e55474a68bd103b48d8276555bc8
SHA1 dbe4d390b5dfa7035feb496c10cc8ca523232899
SHA256 c8a0d03c1b272ad150705519a1a4f4a38b94cf108516ee5638ec3beda45913a0
SHA512 38b1ba6427d831bbc9d73cb53e91525109765e6bb866914c6ed73d21c9e798af662a5edfe64ff25765bacb4192320558ac1241dc2f65ab56af8b1ac93e6913b5

memory/2620-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2620-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2620-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2620-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2620-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2620-57-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe

MD5 7f531c744b9b3e4aa7c43f594373862f
SHA1 b639aff94453644fde55e69701da371b5701a9d4
SHA256 1d03309bb5e2db582a71936421e05bcd710d9b7032aab5799c977602c6d17227
SHA512 c9f49df136fd9c87e321640b8347dea54fc1d1b6393dad57d4598b781350038caa7c1804e411a532f6140228d0d3bc55cecb9c43028e0b56b2e5f34b36a4d9aa

C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe

MD5 b071926dcdb69fc865386c11d5af1549
SHA1 92310d34e8b3dfa6f6a8357e7fca6ac17441ca36
SHA256 e53bf6142b8c04425d0295e0b128af57310f7c052d93ce626520774d7a3d978e
SHA512 28affb69a6d3421693b771d06ef6102b4c3045ecaa777e7ed13d90071cdb0735bbc6d30c9411b2aed6419744e3643ff93d9c16c3aafb9a2c2d1bf1c7bcf34ad8

C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe

MD5 5b586278979a109655f55c7d0175d106
SHA1 522262741c052a130958e582a3c8b1b68e6ee0b5
SHA256 ce1e4fdf5ba3b89a95def955b6e89ca2bd819a90294d98dfa3efcf1e798d136c
SHA512 4091cb6fae153845ceb45590327c67b6684a1eb1cb67bf85e3bb6888a4f990bbfd21c018b9d108e20ff7c6ef5be71b23ae7f0bee573ff269bf7b9449372ed9b1

memory/1628-73-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1628-79-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1628-78-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2168-77-0x0000000000280000-0x00000000002CB000-memory.dmp

memory/2168-75-0x0000000000660000-0x0000000000687000-memory.dmp

C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe

MD5 109f7b17791be79c8253edd0d267d8ad
SHA1 34143163df2135220184a23287802fe47381bc36
SHA256 e7bdbea65830b81532dd18aa6a98b7d875100dc177ff6bc3f86963584aaf024b
SHA512 3a20113d32ce86471af55ac459e35f750514dfba2f75a440e5f56a1b8b05192ffa6a8c2714c170ad3600a42bf493820c3a2e74d948a5cd0b3166d31eddd9c89a

memory/1628-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe

MD5 f1e34351afeb5d0dde190bed8f6854e0
SHA1 59afa42f892a0389e9e95d05b257385ba5041e87
SHA256 543e79ace9beffd86df38e5e2ff01416edb8026834b61674dd39343513085c7e
SHA512 ea327f043610bb4d06e40a8774107208e84ce36d9c06602fdf8b84cd6b3d09016f7859b5f7b103bbb4a1b8bee4eacd26e895bbd933370226d359419518ebc1f8

\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe

MD5 2c89c33e1c69ed6e5c2680e86a66f88c
SHA1 1351ce7db5e2a7d6e9c9d054a89fce8dc2e17ef9
SHA256 82f3c2eb7b8252e8898d1144e93738de4f87cd78eedcfa0372b5b04f58918d6f
SHA512 2ca42581c8494318e7b380338d5fc09adf751a132ccb4dc1fa6c4942a92bfb948613f40f5234bee547c7d6555a384a2489876c9b0e60ed632a34dee2b3783e19

C:\Users\Admin\AppData\Local\Temp\Tar2405.tmp

MD5 ebc7560d2e0e44f9127eef79c8dfa12f
SHA1 510e98889070f7a041026722bc16ed1fbbd7ff8a
SHA256 472ada3a26896b84fb5b47446f863b40b472dca5543b33b139b43c81884fc744
SHA512 a4190c74678a810c2d5ab96004a2d306269e107792adb2362bf04b5b3d52dbccad850fa224cc9a36463dfa8c5d529a0bba915adbfd9e9297011ee8b0636f21c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6bd3ce44cb6dbb5a3a758df70b8d2dc
SHA1 ba6edc650597c9b91efcd1fe7fd648db4d18ac8f
SHA256 bf9ec23bbd2ff9112e6b30fb4f87c0ebb70f55bb2d24d37263aa292371733b94
SHA512 b20a4c7c896c7dced9896a6624f4457e622370f7371c821be1d7e0020fb86e5a1a7c197f744c53127d7fd717cce4ee059f56add9116a77e66e7f6713d92fa001

\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe

MD5 ed8e13e5a7554cff7d7c2db0d2455417
SHA1 c5311f99993930dc21caca5a4c50ab0195da6dba
SHA256 4a42c23f02cf5d7ed4d23327ff8aeb6de904d4f27489ced487e3d7e8836966ea
SHA512 6533c306be27d17f280aa62c674daedd8b3ee9e8fded5f09253ee912b573a4a081ba864308cd434dc7e02fb5f90849e92efe27168793f30308e7312bf8c4d6da

\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe

MD5 dca6d478b929680dc412b2612c57f4b2
SHA1 443cec2378f02be49b96f86011a0ae84483a0784
SHA256 9a93f79207c25873efa7fd2712f48a1a3dc2503ba460e7fc0d49c34e2d45eca1
SHA512 dd2cdcaade8e06c7edcb8d4336b1b0b298887117e0f1eee6ae8ac05679f04fab03013607bbda0ce5959b3be97900963c10de488b36c2716076cda2cee4a6ce49

\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe

MD5 c4070da9f9b0581171af16e681ccdff8
SHA1 3fb4182921fdc3acd7873ebe113ac5522585312a
SHA256 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512 c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427

\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe

MD5 40ef730b610d3d44d531c409af7b8482
SHA1 21180b11c322c179acad871a43b0a1447baa3b57
SHA256 651331f22307be173e49fd2d986236899d499be3b941eef8d734f599c9de130b
SHA512 6ea7442215229079ed49a7fd90e1e9569a2d6a2e6fd481bf1243186586753a66d8e485d472d394b6b1fd0c357aeaed5f0abbe5b72db0656a57fb120493d797f1

memory/1628-200-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe

MD5 c89db5554f918664de6506bed6bfe471
SHA1 6b0aa2bfcdd4ffdd237ea1a16b0661065e88f1ee
SHA256 c976a1c217fc221d6e8b93c20708405508025bfe1bc492823fa133c02daea0a3
SHA512 9ff01beff0fe0a9f3d1e18847465e632f175aead18d75dd3121057aa2e8eb6c68cb5b82a787dccf8b1a7dfaca262d4d542e765a416a8b955f64a6371decc4228

\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe

MD5 8bba81fc4053282dad3413859fdfcf80
SHA1 b8c0df632265e2c0c6a9d8c3b10de25740b763e0
SHA256 ee702a0e709163c481a0c1321b174dc8b824697022e62a41df89745643a17c0a
SHA512 1c36e881d6d81c2c254e3fb923cb028ea2799a32ce40849b11942a264e57e3757ae7ce606dd3613d0306ce085dda66684659695b51c4cbc69bca5e8be417aebd

memory/2620-211-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe

MD5 f384ec915bf063cd24b0a821d946e533
SHA1 d5ffc9314cb1bf6799928685251cc4766bf868d1
SHA256 f167600efe9cedc4e12a5d3bc500fd414100d8ee63c33179beadd4b80e6b15a8
SHA512 e72dd94fe36e72c173040729bb038b3eaf87b7f48b93b55c953492648de757e9a62c1153efa14a62751f2fd6e6859d7fc71f1dbcdfa8bea38196ce0c5c828314

\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe

MD5 7b128430e59813ae7189e3cbab0f1248
SHA1 f3d101b236ca9d14d30aca0d736f3bff90448d16
SHA256 6a97c744d60c421cc946aa214139e16ca71f9245c36a6bd1eee339d8245c67fb
SHA512 494f90339e30fba7b1c7e4c6db3e0aa0ca012762d7ae87cbb6678b21468e89981f7938f937bc106f3de9dddce154c0fc46c02909779b3ad0ec1cce95b4220154

C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe

MD5 c06cd075a1452e83c8fba3c4b8fcabf0
SHA1 fdf53e934903a3d8e65dea9676a0f5164a1b3fd8
SHA256 f855eaa3d305579505f231c0c5def62f174013623bcb527debefa29f0718c02b
SHA512 b6fb1fa8dbfcff34f0fda92b6b231899f6161c3d660c0a4988365b47b132ad688b90cde56b75adbde105d4b28140b13a3f4a60bd64fefda8cfb5a535e5d85500

memory/2532-218-0x00000000009A0000-0x0000000000AA0000-memory.dmp

memory/332-225-0x0000000000400000-0x0000000000406000-memory.dmp

memory/332-223-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2532-219-0x0000000000220000-0x0000000000224000-memory.dmp

memory/332-220-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 a9137630666f569392a9498766657d2c
SHA1 2b44e02c7209ccff03993b34467bdd42536b6eff
SHA256 9217713dd630683359996518a0ee48d5be19af36867b62b4736b820c9956d712
SHA512 1b66b815690fb4f1501f83d4e62a10bc038bb10fa3b2c1cb20d60e881c5ea057c4272d1049baf65cced8632c9b5652b78d55c69936c21e964ec2663139cb7695

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 4d848c2bdb8f20582e3106127393f8f7
SHA1 896adf8e2dfd3c5772b97431dc22000caf876aa6
SHA256 2be02bf10903444f137b10ebf346b22c8c7e5aec3e23a4f81f8e8167fbce8851
SHA512 ce61a8db930482c7e8a36d0c9e0759e845e76da1000b3d5a65addc639ce9d6c8a4b765199da9775ed9d3fbfc7073af02b00dd8b2929dae5b931a9773ea1939f1

memory/3012-247-0x00000000009B2000-0x00000000009C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 764dc93cee29e80fb0249489d9138e84
SHA1 4d9f306b5076ee63a19bb2594588eadec40985a1
SHA256 9a88d4a90f0ff46d37628fb566f9bd1c710cb06d6be140f668524098b013f039
SHA512 190085000daae7696a0fa15e5e56b67eaa76779574345d03d2ba318a341f6dcfe0ac7616f129756b16fd91016d85547971127d953a9a923db4558ab3551c6f84

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 4b3fc3105731c7ff3a7e3966416912a2
SHA1 0e792bf25e8795158074fa6bd2ee87ad16675124
SHA256 c0f698bcc4324958848de5d8e1b1bdaed5e01632d8c827a5a95356eb04a2c443
SHA512 6ed5ee0139d9d9a676232a6c5d6e9a8528f880025a11fccf8a1a32a999ae5fac41f993c384fabec788e4e47da714d67f1def0348da6b0f4392e7fc7ff1098c28

memory/2216-274-0x0000000000900000-0x0000000000A00000-memory.dmp

memory/2216-285-0x0000000000900000-0x0000000000A00000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1312-303-0x00000000008E2000-0x00000000008F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 53c1d0419cc1e389423616aaf846b963
SHA1 6fd24277680bc838a2ccfa9d097d186ec5c0a2bb
SHA256 6d4712ed74160e655967433583d644da0d99c6739b7bf064a17a86b88bdaaae5
SHA512 472592264e8cef327cf5eab26d5d4482d81da03e1c6f5587d38dec0cae481959a965b5f43d10a578af9acf817fa85ab392f0b3a61e79bf0c2f505b8657df56f5

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 1e4ea4014fb21520abe07b3a598bf88e
SHA1 e1017249638c61efe983721ac1be953870d9d675
SHA256 d8020fc96492cc7de30fe35c2f2324569af675d795fdd792007c5d044eb27a37
SHA512 0848753cade4f47873fe746605173e2a336183a232920f5e91f6dc03372ead74f182d7f14594c99a2419100ee11f54fa9516cbf89584ef72090ad954149d5ea3

memory/1548-330-0x0000000000332000-0x0000000000342000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 f57ec55e923cd5a711f014e1bc602b71
SHA1 a3395fa9753d6204bcce561b731cc53875536515
SHA256 e6dcfe9e42367d16c31ee586b7ea5f66b5e853d7796a635b611ee99e375302ed
SHA512 8c17097dda9970a704f9d29cf07ce8509865a6aba6cee84cbb670b36e2b6d7289a15c5796e653cc8569218b88635c9b4c07a64be2f86c7e6a6fedad27ab92c69

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:56

Reported

2024-01-15 05:01

Platform

win10-20231220-en

Max time kernel

298s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\67df257f-d713-4b59-b128-cba8f0290b73\\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2492 set thread context of 2160 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2936 set thread context of 3328 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 3164 set thread context of 4448 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe
PID 1460 set thread context of 2188 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe
PID 832 set thread context of 760 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4152 set thread context of 4472 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3784 set thread context of 3772 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1296 set thread context of 1552 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2492 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2492 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2492 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2492 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2492 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2492 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2492 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2492 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2492 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2160 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Windows\SysWOW64\icacls.exe
PID 2160 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Windows\SysWOW64\icacls.exe
PID 2160 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Windows\SysWOW64\icacls.exe
PID 2160 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2160 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2160 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2936 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2936 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2936 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2936 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2936 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2936 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2936 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2936 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2936 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 2936 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
PID 3328 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe
PID 3328 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe
PID 3328 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe
PID 3164 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe
PID 3164 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe
PID 3164 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe
PID 3164 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe
PID 3164 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe
PID 3164 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe
PID 3164 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe
PID 3164 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe
PID 3164 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe
PID 3164 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe
PID 3328 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe
PID 3328 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe
PID 3328 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe
PID 1460 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe
PID 1460 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe
PID 1460 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe
PID 1460 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe
PID 1460 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe
PID 1460 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe
PID 1460 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe
PID 1460 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe
PID 1460 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe
PID 2188 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2188 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2188 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 832 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 832 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 832 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 832 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 832 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 832 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 832 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 832 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 832 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 760 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe

"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe"

C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe

"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\67df257f-d713-4b59-b128-cba8f0290b73" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe

"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe

"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe

"C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe"

C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe

"C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe"

C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe

"C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1900

C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe

"C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 habrafa.com udp
US 8.8.8.8:53 brusuax.com udp
KR 211.181.24.133:80 brusuax.com tcp
PE 190.187.52.42:80 brusuax.com tcp
US 8.8.8.8:53 42.52.187.190.in-addr.arpa udp
US 8.8.8.8:53 133.24.181.211.in-addr.arpa udp
PE 190.187.52.42:80 brusuax.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 196.0.202.116.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/2492-1-0x00000000006B0000-0x0000000000749000-memory.dmp

memory/2160-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2160-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2160-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2160-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2492-2-0x00000000021F0000-0x000000000230B000-memory.dmp

C:\Users\Admin\AppData\Local\67df257f-d713-4b59-b128-cba8f0290b73\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe

MD5 d5a834458597b28262d18882f84278d0
SHA1 a62e31c59e684b71a68cd5074f2cdb9e0dfca34a
SHA256 ad22974dda99487372a8642a1667ff924c858067fe840c6c53830dc83ddc0dd7
SHA512 1fe4817f515fd1db3b63a57ffa9cf4eec083acaf63803474a2b08f9eb875b9796630fa8587d423a1f15bde1af6211490f3ffa065dec80ef879afd3d0475cb892

memory/2160-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2936-20-0x0000000000720000-0x00000000007BE000-memory.dmp

memory/3328-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3328-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3328-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 b3a322cb6a93e77085da1ca969af35db
SHA1 0b037d89c4225dd4b522c6e2feba2026de675a7c
SHA256 c2a540dee6b21c4898f55d5b8e296023db0faa8a70558704f0f25234d6053d9a
SHA512 5fa707f1d5ed14f796dcd6302bcffe3b7d87cd500daec5b840c63e5ae309964f35e8a9c7c06983b773ffe8edc448a324d44afd302e68722993077d41409bdc83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 20096e6a0541be2b46c6d2c28cbf07ec
SHA1 0eff303fd4bc07c3f93d2a79264b9b64fe6ae2b6
SHA256 b1f09c268a40f45f44f8dd27ff7feffb407880bd0a205daa37ac9f6d98978795
SHA512 9c4c79f96ead2d93696801472b4b90ad3b7998a0a8352ddbcf71fd550fe15c460e89dd7cb84f9b8be5a0a92bee8715fe4fdc236cee536e749bfb84cd1ee6e1fd

memory/3328-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3328-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3328-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3328-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3328-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3328-38-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe

MD5 79cf37f19c8e17e5a78d52942f95921f
SHA1 af75d887c46686560c419291296de38c10f47680
SHA256 6274fcccd97ae89dbd0e05511daf116a07d1c53c4c5feff1ce1e2471156b1f6f
SHA512 d09749ba10618af6f1637ef1e577ae0206a791b3aee8def8184a4b64f76576a4fb856af8256afce6b555fd53dea91ae9523dda300ed4ae16e05852c3df18a0ae

C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe

MD5 87863828a7f23aa7905e9350d6057e72
SHA1 29c6d2e0c3fd2a75a91031749bdc94ddbe97b539
SHA256 d771f46e22a5c68ab6bf0556a7995ca40816c87d86bdbeb29ade67b0d8c81052
SHA512 066bc51a4607fbeb11d4d1a594ef9dcb0c3c4a29ae7aa826b7488695790f361ae1947b69e571ab92ca9d5a026bbc7bf6f248ada21dcfb81111d454d778862e00

memory/3164-51-0x00000000006F0000-0x00000000007F0000-memory.dmp

C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build2.exe

MD5 4f0d01681697168ee36a366894ae5ae6
SHA1 b0c3fd6bb18bfb7fea9a626aff8435ddb134d6a2
SHA256 5a97da51a0f2f9bc025377bd4a2d5b1e3137e2685e940670f289da3478f2ad5a
SHA512 0615c67f5e643704ba6400f39426c7aed3865c827a239bed16216bddf425d177cbf966499827a082e979f80b92e0d919841b714cd759fd017d7447ae9df9508a

memory/4448-48-0x0000000000400000-0x000000000065E000-memory.dmp

memory/3164-53-0x00000000005C0000-0x000000000060B000-memory.dmp

memory/4448-52-0x0000000000400000-0x000000000065E000-memory.dmp

memory/4448-54-0x0000000000400000-0x000000000065E000-memory.dmp

memory/3328-65-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe

MD5 be01967fb815cbe54f7e4658d230330f
SHA1 fe59633a5375845c5121ea8a890b893f3ec74b18
SHA256 649344f585a69eafc0cb854e6e8d7f0cf478eb6bc1a3c81351f336fffe03ce02
SHA512 781fa81945847155e3878fcd236bc2d79d8bc65fbcbdcba57a0fc2a7a7ebb7e8482fee19b7aa4f3de12b217cc1a30c25e96964cf6cd531444831abd0557bc285

C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe

MD5 7e787293bb6b0a851581ba67d566d7bc
SHA1 061efbe25967e3671902dad4b25a26797ea75178
SHA256 2a39a0ef3ef569e4702e1238a9551b1283b729b5fac9ee5a988542666e3ba36b
SHA512 083b5409aa33475d889c3c2631232c3c8f76f33563cd496e25ad76be125f0287e08bf70773c8eece487a5f51da2cf1a4287878a4291c68d78393a58749e64d03

memory/4448-67-0x0000000000400000-0x000000000065E000-memory.dmp

memory/3164-70-0x00000000005C0000-0x000000000060B000-memory.dmp

C:\Users\Admin\AppData\Local\b019cc69-5a6c-47a7-8ad8-20c3a2b37473\build3.exe

MD5 7befa1c4ff23c0b3b4c5adcd9417b247
SHA1 fc4cf9ed7d3c7f147a67746ebf01ea3fab4a1cc9
SHA256 b80836568a99e1c6cab7073831e64bbf3eb09ee1dc5dca5623fdcd3019f520f0
SHA512 63f97146440f5c0f9c755d06ef43a6e94ef39c5f80a99ea277a8939702416ac007b779d63c65447e2ecfdd1e3089e6ccab1b20aeacbdb4c88c70d1732236c50e

memory/2188-73-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1460-77-0x0000000000B59000-0x0000000000B6A000-memory.dmp

memory/1460-78-0x0000000000920000-0x0000000000924000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 74ae9689cb04bde426e036319feeb49b
SHA1 b932fd3571f6113cacf1e5eb2b3453a05887963c
SHA256 b59f5c8dc70d0092f4257c3e13745f67e6324edeee709eff32336d3c93bca180
SHA512 642d69ab7ef11418b9d97cfa8882ba38ba5c08fcec428a8a758b9de8ee1d576b4d1fe1a2ca93dc4f1f5e6a8eba8c21f7309975c0c43033350d51e5efe7fcafca

memory/2188-81-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2188-82-0x0000000000410000-0x00000000004D5000-memory.dmp

memory/2188-79-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/832-101-0x0000000000880000-0x0000000000980000-memory.dmp

memory/4152-124-0x00000000009F0000-0x0000000000AF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 af35afdc152c8797a5510e1d71291187
SHA1 ac96cb475c4e04038423cfa53e63ae76b269e053
SHA256 ddab7d806ad42adc7fc3fc764df6eae87f47c96e304ead0c3b686e072ab40329
SHA512 424c09ce568faba9bcd3e2a56f7d88b5e2581aff1bb3d46648394536933fd99a07c52432757a615aa16efee0809079ab0abf630b37cde0620423b7d21ba650ae

memory/3784-151-0x0000000000ABE000-0x0000000000ACE000-memory.dmp

memory/1296-178-0x00000000009E0000-0x0000000000AE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 99250f97f6f7b69b9e88b546b579c2e9
SHA1 c3f0c6b90a28ff6f70aaa26e7ea904e95229149c
SHA256 7cd197f2a5e79cc1927d745ac6a39e91dc03c11f51c23b5844c2065c87509661
SHA512 f9ef00d9fb489fef04ea5179f35a30b516f21b79822ea0980c58d0486d78af41f6ba41878913be76b26161d0e07a1ecd155f3369e7f1812746645dab70b46175