Malware Analysis Report

2025-08-10 18:24

Sample ID 240115-fk849aagb7
Target bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5
SHA256 bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5
Tags
djvu vidar discovery persistence ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5

Threat Level: Known bad

The file bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5 was found to be: Known bad.

Malicious Activity Summary

djvu vidar discovery persistence ransomware stealer

Detected Djvu ransomware

Vidar

Djvu Ransomware

Detect Vidar Stealer

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:57

Reported

2024-01-15 05:02

Platform

win7-20231215-en

Max time kernel

296s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6a20d32c-f979-4f2b-8978-5b4a96fdff66\\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2356 set thread context of 2056 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2592 set thread context of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 1976 set thread context of 2176 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe
PID 1760 set thread context of 1056 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe
PID 2972 set thread context of 2744 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 540 set thread context of 628 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1032 set thread context of 1016 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2224 set thread context of 1716 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2220 set thread context of 2568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2356 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2356 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2356 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2356 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2356 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2356 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2356 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2356 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2356 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2356 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2056 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Windows\SysWOW64\icacls.exe
PID 2056 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Windows\SysWOW64\icacls.exe
PID 2056 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Windows\SysWOW64\icacls.exe
PID 2056 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Windows\SysWOW64\icacls.exe
PID 2056 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2056 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2056 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2056 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2592 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2592 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2592 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2592 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2592 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2592 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2592 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2592 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2592 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2592 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2592 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 2164 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe
PID 2164 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe
PID 2164 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe
PID 2164 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe
PID 1976 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe
PID 1976 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe
PID 1976 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe
PID 1976 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe
PID 1976 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe
PID 1976 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe
PID 1976 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe
PID 1976 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe
PID 1976 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe
PID 1976 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe
PID 1976 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe
PID 2164 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe
PID 2164 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe
PID 2164 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe
PID 2164 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe
PID 1760 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe
PID 1760 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe
PID 1760 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe
PID 1760 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe
PID 1760 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe
PID 1760 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe
PID 1760 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe
PID 1760 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe
PID 1760 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe
PID 1760 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe
PID 1056 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 1056 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 1056 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 1056 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe

"C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe"

C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe

"C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\6a20d32c-f979-4f2b-8978-5b4a96fdff66" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe

"C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe

"C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe

"C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe"

C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe

"C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe"

C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe

"C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe"

C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe

"C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 1448

C:\Windows\system32\taskeng.exe

taskeng.exe {63689AB5-E980-4B44-A099-BE315B20F2FC} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
BA 185.12.79.25:80 brusuax.com tcp
US 8.8.8.8:53 habrafa.com udp
PE 190.187.52.42:80 habrafa.com tcp
PE 190.187.52.42:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
US 8.8.8.8:53 www.microsoft.com udp
FI 65.109.241.139:443 65.109.241.139 tcp

Files

memory/2356-0-0x0000000000300000-0x0000000000392000-memory.dmp

memory/2356-1-0x0000000000300000-0x0000000000392000-memory.dmp

memory/2056-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2356-2-0x0000000000AC0000-0x0000000000BDB000-memory.dmp

memory/2056-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2056-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2056-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\6a20d32c-f979-4f2b-8978-5b4a96fdff66\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe

MD5 14a5973627a876bdbafb029a26084f64
SHA1 5514e9a9d8806406ff9921c9be25bd1e314b0b9b
SHA256 bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5
SHA512 e6cefb5181f6bfef6c17afc961e5d8186115ce01e06160a4c08b88933f314f9e64010c04936e2511af543e49218fc4186bc59239e5d4254b10b3d517ca644808

memory/2056-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2592-28-0x0000000000230000-0x00000000002C2000-memory.dmp

memory/2592-29-0x0000000000230000-0x00000000002C2000-memory.dmp

memory/2164-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2164-35-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 94d862dfd39b9de03509e9d1ec734b38
SHA1 675dbd59918e9bdfc8a218758de83827ca2385a3
SHA256 d57b2bba21c0e3ea6eea449afb6ed318b4a985b3c374dfdad848f32c42c2d37f
SHA512 f35ff2a180c3ddce20ef15b4c2d03166778bf246a64efa5485bcd624b8404e56f80c0e68407a8e818904ad76f4d0c841ec408610addf8fdc9e3430ea0178fcdb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 ea636d4e6edaddf0d2ef0c6d7ac17680
SHA1 a2f072d5820023d97799bb616a2c3ff0d69cf23c
SHA256 ab3c4e196441db2c0c0306c8749e2d54f7a1bef2fa896878f047321bd8d0b4e9
SHA512 534a022e28aa2af8e037680f362ee537d8022572e70e88aeb912d0d4890fc03458a023e7e39bea9d9eb26809c360e2374a4115bb327ce0e1c2d4c1aec97c39ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 842665c705636585a5b1d24fadd85eb8
SHA1 61978cfa31861b545179de6f143fe91a67cc50c4
SHA256 9cdfa5fbd365d9a08f47a72477abf80e46fc36f9b776640d058eb218a12e15ee
SHA512 40524f85fd35d709013efe7d30917a0bb320da5e934fe10e14cd0b4aa5c7edc26b913f6aa3df10769e0d2d329cc90c576e290fc7d1b3f5a4e2a467ba6c6b7b54

C:\Users\Admin\AppData\Local\Temp\CabCF6F.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2164-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2164-49-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe

MD5 c4070da9f9b0581171af16e681ccdff8
SHA1 3fb4182921fdc3acd7873ebe113ac5522585312a
SHA256 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512 c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427

memory/2176-67-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1976-66-0x0000000000230000-0x000000000027B000-memory.dmp

memory/1976-64-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2176-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2176-70-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2176-71-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2164-75-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2164-77-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2164-78-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarE090.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2164-86-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2164-125-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2176-182-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1760-187-0x0000000000230000-0x0000000000234000-memory.dmp

memory/1760-186-0x0000000000990000-0x0000000000A90000-memory.dmp

memory/1056-189-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1056-192-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1056-194-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2176-247-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2972-252-0x0000000000860000-0x0000000000960000-memory.dmp

memory/540-276-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/628-283-0x0000000000410000-0x0000000000591000-memory.dmp

memory/1032-305-0x0000000000960000-0x0000000000A60000-memory.dmp

memory/2224-333-0x0000000000960000-0x0000000000A60000-memory.dmp

memory/2220-363-0x0000000000900000-0x0000000000A00000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:57

Reported

2024-01-15 05:02

Platform

win10-20231220-en

Max time kernel

14s

Max time network

293s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\50a55700-73a8-4958-b97e-431298acd57a\\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 216 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 216 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 216 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 216 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 216 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 216 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 216 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 216 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 216 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 216 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 520 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Windows\SysWOW64\icacls.exe
PID 520 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Windows\SysWOW64\icacls.exe
PID 520 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Windows\SysWOW64\icacls.exe
PID 520 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 520 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 520 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 1924 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 1924 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 1924 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 1924 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 1924 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 1924 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 1924 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 1924 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 1924 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
PID 1924 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe

"C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe"

C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe

"C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\50a55700-73a8-4958-b97e-431298acd57a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe

"C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe

"C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build2.exe

"C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build2.exe"

C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build2.exe

"C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1912

C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build3.exe

"C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build3.exe

"C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build3.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
BA 109.175.29.39:80 brusuax.com tcp
US 8.8.8.8:53 39.29.175.109.in-addr.arpa udp
PE 190.187.52.42:80 habrafa.com tcp
US 8.8.8.8:53 42.52.187.190.in-addr.arpa udp
PE 190.187.52.42:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.202.0.196:10220 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 196.0.202.116.in-addr.arpa udp
DE 116.202.0.196:10220 tcp
DE 116.202.0.196:10220 tcp
DE 116.202.0.196:10220 tcp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 74.239.69.13.in-addr.arpa udp

Files

memory/216-3-0x0000000002680000-0x000000000279B000-memory.dmp

memory/520-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/520-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/520-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/520-2-0x0000000000400000-0x0000000000537000-memory.dmp

memory/216-1-0x0000000002510000-0x00000000025AF000-memory.dmp

memory/520-17-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\50a55700-73a8-4958-b97e-431298acd57a\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe

MD5 94f84927d4e355c5b599a2a972635903
SHA1 4943750c862ed4d6dd2ab799ec4662684b6adea4
SHA256 7ceb08abf45d7784d9bd9915d212381af9b0ead357c4f96382b63335497f1dfc
SHA512 e91709be7222cb053609189407c0e328b3056630d08ad9cd08f3e8dc87dcbb649506bc32f0315a0895a4d686164ab832eb199614ec620672fd5ad54adc735cbb

memory/1900-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1900-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1924-22-0x0000000002420000-0x00000000024BC000-memory.dmp

memory/1900-21-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 bfe924ae20700a8dba37bdd0677ea45c
SHA1 0fa2d210bdb511100054c5315c12c2f43cf334f1
SHA256 074688d41f4e9fb7f2c480f6fc2b9cea49a739c9870b0494902983bbc653f358
SHA512 a6b02c4ca493e068c3c2874fce05effc0d648503c08648cf742d22649d9a623259bb119affa757395ed10257fcca19ba3ffa3a5b94dd8d809c33562bceaf730d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b53c8c6885abed41527cb077397f49c8
SHA1 6632c25865d784c107038f7963d720c92640a767
SHA256 1883c062dbf55ca4b52b71622efb8127acd9d56a2b5db1c7888ed5737f2345f8
SHA512 035232100350f76b2f9241037248ab6696e45fbbbb18856ca04b8282129ec492ab345b419247d9e65c0d96528b0d92ba91d60f658fcc8921c44cf1b8c4473c2f

memory/1900-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1900-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1900-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1900-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1900-34-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build2.exe

MD5 c0161fb5fa5b00daf54656649c61a548
SHA1 c368e2e929423fcb406bded2ba2a01aaa0485b30
SHA256 dc8118a7ae2a604d138651c4abb65c908bfd8878ad554bf57aa14d3539547674
SHA512 1cc3235012514a6f6a5646e0a9d07b1bcb2dc123ec7b6a2e8e406799c14380bb3126b5f3589c78ad2b2ef1e6d5774c721b5d4b491764577587efaf8491bbacf5

memory/1428-47-0x00000000005F0000-0x000000000063B000-memory.dmp

memory/64-51-0x0000000000400000-0x000000000065E000-memory.dmp

memory/64-52-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build2.exe

MD5 dd347e4a9eed3f1a684c19b9b0dfe98d
SHA1 eb1385312bf570229e612e0d905b51743ba7442e
SHA256 62b9e22ca2ca9c4ee7e9dcdea5bd25209ff189c16a3673e6e0d11a431b820028
SHA512 a99b59f754bda2ea3bfcc639210aa73f169325be03524305ede04f3c1fa8a140e9405546e86d633992f50df5c2f9a8bce6ed589ed7c415e99652c5f25df29ddc

memory/64-48-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1428-46-0x0000000000690000-0x0000000000790000-memory.dmp

C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build2.exe

MD5 566f8ba884fedc599037867b5fed567e
SHA1 59927264e8d4316a6133727381aa8de1afe618ce
SHA256 482fd2f6a2f0d7126e1cbd51c139891f3b9fd1bad52a10e6cc7e58327b3de4d6
SHA512 beca9510603ea1804d9211d79e3d7139f50b7db4927bd13b6debfb4b78345b383c0efe38ab49dcd31484fd8f9c4427d24d987d8d7685e92f2247b67e80a2df43

memory/1900-53-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build3.exe

MD5 b9ff3f154c8d97ad58641b02d7e1c750
SHA1 6f5a0ae803618bc9dc5b052db093b5376a166435
SHA256 28c1869ee2522018be4e6f32f81deb8312b25196724bc8548ccbaefaf139ef9a
SHA512 4397ef4e178423ab55409f7aa668c9d63d5e10432457aa4ace1dc90a09313be3bbac55b6c888667a1242dd918b0fb53b2ccc3edbf6b873cc945ffd254ee9747b

memory/1900-63-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build3.exe

MD5 7655a8ab6ad65f8b0c06e7d6ef573694
SHA1 9c8b88729fe4cda48a7801839f6dc008ead4e50e
SHA256 1a5f238fbb82d782f9022af75c69d02d0a6b02a20e96c45b417d19380b56fcb9
SHA512 fc12524fb4ea6e241e6b902f9f8387336a8c8c27f8fff10493fe0bc1ecbb86ecc21b646319fc423e9a4a578b167b2a5d9cf7b21c1c821a3d7b2e16789c536809

memory/64-66-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1924-67-0x0000000002420000-0x00000000024BC000-memory.dmp

C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build3.exe

MD5 13bef8579f96b08d065dc71343b9332c
SHA1 8cc44aee8fe03a996fb4ec171be00a70775912d0
SHA256 33087e53fd814c39a30e5b9d55e158a75191f45bf7883c0e25bbd5cc9f6c9af3
SHA512 988d63570f84242966a2c7f0fb7bc71d43201fe4f5308fc8ed2e5be2363a5b6dfe233447b4ce537f640aabc3293224e462461dc6f69b859c0ce1455c2aaf0fdb

memory/384-73-0x0000000000400000-0x0000000000406000-memory.dmp

memory/5052-77-0x00000000008E0000-0x00000000008E4000-memory.dmp

memory/384-81-0x0000000000410000-0x00000000004D5000-memory.dmp

memory/384-80-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 3bb3d56a18eec9b79c287cf1e1b41f1c
SHA1 d37dcf4f1349e3f8ab13b1d859b0533066fbffe9
SHA256 574b4e621aea47f875c1edb98fbfc71d4d302bb568137fbb12a304df0b782c9f
SHA512 a07dede517a571da1f1925cd9ae63fa38b5e5c0dd20458b47198ecf3d1bd862c74a5eef17e3a5192819a796faf7a8b84b59a60837ccbc51dd748b453d8fe2d8c

memory/384-78-0x0000000000400000-0x0000000000406000-memory.dmp

memory/5052-76-0x0000000000B80000-0x0000000000C80000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 5c2b090f6e218209c9c7f4fa935265d5
SHA1 4a8d96c4f25b9912306d3ef178f9b62ca6018286
SHA256 3264a8f122706de1bfb1001716d7fc3388f1f083832d25aa5c8fc6ca83d3eada
SHA512 1dbd88ce19403aeb8dc0973e2bf08627d49e7dec715cea196135366e1c3979add3c9545b975149cf25d99b89606d81f5d26e0f23368202ac431eb7fc35e86e82

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 5169d2a060a54d0bbbd3027fc19a4417
SHA1 2342990e51952aabf570794ababcf643507e4f4d
SHA256 7167395afd26254c61eb9fe58564f01409b402108ffb17564508064e09cc29ff
SHA512 c70d02ce8b59807e1da70d95deec3af679ed05f4a7171771bb1fb767a1812ebcbdf2afd2ce72c7f685f33248ea7f1b55f5cbcccdd4743685df2a97edf88f6489

memory/5052-89-0x00000000008E0000-0x00000000008E4000-memory.dmp

memory/1592-99-0x0000000000B20000-0x0000000000C20000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 4b3fc3105731c7ff3a7e3966416912a2
SHA1 0e792bf25e8795158074fa6bd2ee87ad16675124
SHA256 c0f698bcc4324958848de5d8e1b1bdaed5e01632d8c827a5a95356eb04a2c443
SHA512 6ed5ee0139d9d9a676232a6c5d6e9a8528f880025a11fccf8a1a32a999ae5fac41f993c384fabec788e4e47da714d67f1def0348da6b0f4392e7fc7ff1098c28

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 ffa1fceb3d7fafa3757d48a64fa93f5f
SHA1 3d85f27c84ba62fc3c6195bb7762a177daa0e6e3
SHA256 53b469ba0d446e1ccb9aa596b5a98935cd22d0c37b5d8e9ea39c1bbe948fe2ae
SHA512 c447d7db3d70f3acb7a99d57d355466f29d55b23412737fdbd1020b5ba9512fd4c7f3b8d3a783ec1c38cc4e5153a47e46728355fde81e3a2360a3a3d03dcc9ba

memory/4172-124-0x0000000000B70000-0x0000000000C70000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 e240a6468baf4a67a503853cbed40581
SHA1 80a64abc42c63b3c9657eb37a4202759423ec2b7
SHA256 a4c0bf4b878ee9797b65b0eba70d9c901a23929565dd8cda0c3b5d658f19a891
SHA512 f1a0a711babcd43c724dc684a10e50f9d3c6358e9b05341fab11487daa6828cac46eb40a781c199ee660254734f8ab24ba3f737368d3cb450aa69ade836a174f

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 74ae9689cb04bde426e036319feeb49b
SHA1 b932fd3571f6113cacf1e5eb2b3453a05887963c
SHA256 b59f5c8dc70d0092f4257c3e13745f67e6324edeee709eff32336d3c93bca180
SHA512 642d69ab7ef11418b9d97cfa8882ba38ba5c08fcec428a8a758b9de8ee1d576b4d1fe1a2ca93dc4f1f5e6a8eba8c21f7309975c0c43033350d51e5efe7fcafca

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3472-150-0x0000000000930000-0x0000000000A30000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 95b079f9b83988b2253843dede4b3b19
SHA1 13104dd654365715d64cf2ca083c5fa4c6458f3e
SHA256 df0e29c690158bf6943ef9fac22b10be7a3b590eaee291ea4fcc67d59c8501ca
SHA512 587ba3171d80122efc86b418582e922a61131ee55d015feb58661e560f9bb24fa7ef6eba5053f88aaddaeb21c05e15e420774db430b9850fa55b743acdb7afb0

memory/4292-177-0x0000000000980000-0x0000000000A80000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 e36cf7b8863ed683e3bb596d28d9582a
SHA1 769283b659f5581b8d8cd5c1ddcf80bdfdede5fb
SHA256 36d0ed0156e857587423d0b364dd7aa6ffc33db524466c02a3dc30242aad4c0d
SHA512 6e759fc12a3c75c33aaee2eccb6bf58cd5e7084e208b1eb5d5000c41df43dc6581e4e2638073cd41604c69a445de9aaa3f66b4e6dd8856ed05b673b09e339373

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 8b6a819c6926597dfa7529b692d7a6cc
SHA1 50c535e9cca464afd3a589d2231d87ce417d4312
SHA256 b9cb5501cc2d257e049e1757062523c7f9ee5a85d57d46538fe492125befd26c
SHA512 dfd28b270d99ad89f8ce1df9750b92ff558f73fe2448bf182b5c1c05c7b180bb29175eeaf5a7c918791d64b36167fc1a6044f1aaff838e02e878782f5f6c0ba9