Malware Analysis Report

2025-08-10 18:24

Sample ID 240115-fkaaxshgbr
Target a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a
SHA256 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a
Tags
djvu vidar discovery persistence ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a

Threat Level: Known bad

The file a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a was found to be: Known bad.

Malicious Activity Summary

djvu vidar discovery persistence ransomware stealer

Djvu Ransomware

Detected Djvu ransomware

Detect Vidar Stealer

Vidar

Downloads MZ/PE file

Modifies file permissions

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:55

Reported

2024-01-15 05:00

Platform

win7-20231215-en

Max time kernel

295s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\24a08177-5051-4a05-82e2-978b9537af99\\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1852 set thread context of 1612 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2664 set thread context of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 1340 set thread context of 2520 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
PID 268 set thread context of 2144 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
PID 1908 set thread context of 1520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 776 set thread context of 2436 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 532 set thread context of 760 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2712 set thread context of 1576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3064 set thread context of 2900 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1852 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 1852 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 1852 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 1852 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 1852 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 1852 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 1852 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 1852 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 1852 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 1852 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 1852 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 1612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Windows\SysWOW64\icacls.exe
PID 1612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Windows\SysWOW64\icacls.exe
PID 1612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Windows\SysWOW64\icacls.exe
PID 1612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Windows\SysWOW64\icacls.exe
PID 1612 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 1612 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 1612 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 1612 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2664 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2664 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2664 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2664 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2664 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2664 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2664 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2664 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2664 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2664 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2664 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2580 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
PID 2580 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
PID 2580 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
PID 2580 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
PID 1340 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
PID 1340 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
PID 1340 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
PID 1340 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
PID 1340 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
PID 1340 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
PID 1340 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
PID 1340 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
PID 1340 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
PID 1340 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
PID 1340 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe
PID 2580 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
PID 2580 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
PID 2580 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
PID 2580 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
PID 268 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
PID 268 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
PID 268 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
PID 268 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
PID 268 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
PID 268 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
PID 268 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
PID 268 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
PID 268 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
PID 268 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe
PID 2144 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2144 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2144 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2144 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2520 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe

"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe"

C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe

"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\24a08177-5051-4a05-82e2-978b9537af99" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe

"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe

"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe

"C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe"

C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe

"C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe"

C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe

"C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe

"C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1436

C:\Windows\system32\taskeng.exe

taskeng.exe {D0EDE7BC-9159-4D69-9190-ABFF6977CB4A} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
PE 190.187.52.42:80 habrafa.com tcp
BA 185.12.79.25:80 habrafa.com tcp
PE 190.187.52.42:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp

Files

memory/1852-0-0x0000000000330000-0x00000000003C2000-memory.dmp

memory/1612-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1852-4-0x00000000006C0000-0x00000000007DB000-memory.dmp

memory/1612-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1852-1-0x0000000000330000-0x00000000003C2000-memory.dmp

memory/1612-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1612-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\24a08177-5051-4a05-82e2-978b9537af99\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe

MD5 3c2b31e7c091650e12934ee8eeaeeb58
SHA1 5848274e0b6da2d94d28b32314a5b9b56d2d7a5e
SHA256 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a
SHA512 fde24a46c657248611e27feb5835eb76e12ba828028b1ba514ff98cf5046f122d68e179923f6c52edec0c97edc578f7a6e0671eda12799ce4351f934db0d6100

memory/1612-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2664-27-0x00000000002B0000-0x0000000000342000-memory.dmp

memory/2664-29-0x00000000002B0000-0x0000000000342000-memory.dmp

memory/2580-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-35-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab205C.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f2f3c5a52379836dc15a1e6b6645956
SHA1 1926098223f2c5da36107d5e146e19b95b58495e
SHA256 35c2e360cab77a557e95248429a15b137e7a69c7268d2b72c7d053d4bf42215a
SHA512 8613dcfeeea14bbe930540319ae52a605db722f4443f04319ba1a69a050143dd07a641ef2136c0978f9d661a44a0d12450e515584cbf933b09eee583a159c8c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 0949ff744fb3ba42b01ae456dc6733a7
SHA1 c117219a9a1cb6469fe447f295108ee7f570ae64
SHA256 b4a92323e80f5b8cd3f2f148d1ac0fd80219f8f9d327755dcd0c409f5a7e7388
SHA512 10121276da3190020a7a202e9f632607469c3f08809eeb54c75741b071c6341214af19f71e00440b3d127fceea2bf03f9cef8e1202419291d686a795fe2f177e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 053e0961fc5841d063419890e657216e
SHA1 85d420bf7c5370df818b7286ef3c9b9ff252ffea
SHA256 67ca9657ce00b3fffe57925a937ab31c0e86c40998775ace1e57fb1ede44601c
SHA512 0e38144f33364d16d17d5593b3eb04276a35f412c7a7f402f5eadd34c8866b4edd38b948181bc4f883ce004f0f948a89ab8808f42366e0e537db19852d7a7789

memory/2580-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-55-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe

MD5 be1d2812607430d60569567b7417efd0
SHA1 2e5c06ff36abae8514cfc313c731068c34dd2879
SHA256 208392e9cb32d9fc672864b7dc4f6a0cac4e5004efe85d2c5038c41ccec37266
SHA512 b680191696b0ed32bd5eb25017ed4c2de4653b096d17346796dff0e06d34927224afcfe5bf97c88b56168f8742a7aef14ddbc7200c0724097cfdfa29b1340a89

C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe

MD5 06b47d11e7f05b7a8ec0403d48122dd6
SHA1 1150692f659f6be1d39533a120afd8e6c39387aa
SHA256 0ae7aa899ec3b723c87028340addce96de143b5a691477d7066f61d8bdf6f471
SHA512 fa1cca60822e6050eb63d7b9f47c87b775b39bde92d9e968afbc29349e222631af960583017d643ac688895b47f630350a5318126483ef4f5536aecad66a0adc

C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe

MD5 c18f9a896b1a96762db5662853d6b94b
SHA1 adf5965d077cccfd4e5d4a47137e65d19f5c6b48
SHA256 94880e5d803d7001809ca823fd15484d2b3a87c8a5676952f3e4d08a1641f3c4
SHA512 8d3f3597a9cb2f49563f479a6654521d2cefb687cadb13b81fc624ab1bc06c19f181b8890435866a5cc7928c0a22cd6b18ffb07e9431d110f08cf2027d2fceff

\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe

MD5 aa39bf5403592cd7dd43dd8f4cc9d07d
SHA1 3593659621b2bb7e32a78059308fff2be04f3c27
SHA256 823d59f6b7a71f79bc83fd253b0561767e9b0568589c92933ee8be9fcc787ae0
SHA512 dea28d320a66027d4ad9c2c97df76cc0d087694b2c6967d996cc0a6b08fe4e2ab82c0e654c5d21b8dcd8726b1875e6ed41372be0d40cfaaccd5da63329bb41d6

memory/2520-72-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1340-75-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2520-78-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2520-77-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1340-76-0x00000000001C0000-0x000000000020B000-memory.dmp

C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe

MD5 5cf27478cf33387fce38eef7054ab1f3
SHA1 3c1d100942bd8e29fd329e2184bd30b558ba930e
SHA256 7566635be327d4851e820efbbaca604a1ddb34fe9cdd37401c2dfb65afb0befc
SHA512 337c4beb3a37323d14c530e83ee12a6720f37be8feb272268751bb77921a99461b096c3730acd9e4036069c78868aee008ee02ec28204f2ecccdcbcc7772f3c4

memory/2520-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe

MD5 5fdbc7061921001b06f5bcd8f1fd3e27
SHA1 bf1bb8bc1113827f3c615352fb7105d71ebf6e4d
SHA256 4f78c94ab539b688956081dac8e29b1505192f195c3d95be26f97c6c22fd5fe1
SHA512 eafd539c4c6489f3f522f1a05be71d8693c95db24a196361814d89c4173c405fda15258746886a42d8916bc9621ad8aab2c441f6c42512d25184b8af69373588

C:\Users\Admin\AppData\Local\Temp\Tar2CBC.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2580-114-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 684f353424c623330a61ea87a660b84e
SHA1 85699f1b3e449d07844d0bcf707f34438cc8abcf
SHA256 b224357d2cb524e055f9bd565ff3edb55b6ed56ba636ccfb1f7a007aebd1311b
SHA512 c6c437962047a3614eafa693c81c9b86a9bda04695ddc81b8df40dc0d16447855dd6dbdec9da720e1a381fb9b20a8477f17b585469545910e881cfbcab95ab35

C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe

MD5 864627bdf745eda7e7c9868aa5d8b2cc
SHA1 d6355883f6edc3940c601f89a7f8d3902bb1c6fa
SHA256 f86fbbe033bf6b10b72c0eab6e1614d35f81dac37e620a15b6dc6d8fdfe96c30
SHA512 bb5715d402c9b0ffaee53aa1e535b736f99d39dea83ea0efd575810aefc19e65dc9af6409549d2e89ad0cb2f06ed989ca1d3fdcefd6dbbf1bc012ae08e2b8316

C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe

MD5 eba7dd24dbf26e11d00c46c1e31af97c
SHA1 7a0ab51fe542b995fda55824c28bb6634921ae9b
SHA256 5bbbed6d3670f160d2ab3d7714065d412c17a17285e167dd62dc0e731c29d1e6
SHA512 5bf2e61bb4bdd2e61a974ed4da97e32c5327a34e817dd67e2a8daf52d28aa27e7c3d96474bef1a4af1e63ef7e456317092b4d9de9a6f6fc307d5169f8d4e9289

memory/2580-169-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe

MD5 e979517f1b235c791ddcfa4e9973fd5e
SHA1 4c865c82232632d98af184f2387b51ad931bef32
SHA256 ca2cb2ba86cd09c65c4becc53038a430eb95db6170c635e5988aab08e97b509c
SHA512 43477b0a9ff2ef9fa940755a1406b62f2b6b5212d0a0e39ee6c003c591e0a606d70948d734b7fa38d71ec3b6745f4e203026c96fca76df42eec92e89d65590f6

\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe

MD5 be0dc2b3392ddad04d79be0767d5eb2f
SHA1 d7a703e75c5a6a5d8078b2eb5fc22eaa298958c9
SHA256 197b33a766825f2c42aa0c3a9e91e9673614bf60222d4c8ff8fa5ea56bc0e693
SHA512 6cd39681314a358a45c964771f2bfae3e8705ea4216dfa0d94ab3bf943f764242c27861c9efa9a9ee35960d196a5ed1e3522690d7cb776f6484e641e25b02f1d

memory/268-195-0x0000000000C72000-0x0000000000C83000-memory.dmp

memory/2144-206-0x0000000000400000-0x0000000000406000-memory.dmp

memory/268-205-0x0000000000220000-0x0000000000224000-memory.dmp

C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe

MD5 e48cde27b568bdf4f48005ea798a3499
SHA1 1428bd2ad4882111aa578f93bba8d5ac30af5266
SHA256 73f0cdba3653a614f06cd6d7292e8f3453007c0b5f1ae5f477c16cbee771a153
SHA512 d3593c6a1303f84aeedb78c34ab449f801f23627211abf0ac140d121601f618238e476c59af8267048865ef569cd7c2b0f31108f604cc4b6c52452a277c00dec

memory/2144-193-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2144-209-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe

MD5 97876d29fdfe56e9cb29a0b93435dda0
SHA1 a863d84a33fb75ee4bc81203ed8fea77259cd8c3
SHA256 a8a871f0d8dac606050304539be45600d441021158ddbba96f38352169723b55
SHA512 fbd155089c7be72a0fb09b70d1ce76f4856fe28e4ce0ebf5b7e77fe20e327cf93fd8dd0e63113eb3efd9a6462674bd5c9f4fdb500c302a56b43e1861469a687a

\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe

MD5 c4070da9f9b0581171af16e681ccdff8
SHA1 3fb4182921fdc3acd7873ebe113ac5522585312a
SHA256 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512 c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427

memory/2520-226-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1340-228-0x00000000001C0000-0x000000000020B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1908-236-0x00000000008C0000-0x00000000009C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 ddd41c9f1e05950d887a19c5c0796aae
SHA1 7533f7c83bf2323b7cb473042992bdd28e69c444
SHA256 31f6455c91ab14213dc328c9eb8ace57db24e1c238a0549442c44e5cb000716f
SHA512 c600c984d78ed0dc3dcfd294e67126879e1355e446663ff550447ff2a436328324fb66968b359b0dcc3e60101afdfbd733f10319ade2a4ac93c63438ca62660c

memory/776-267-0x0000000000992000-0x00000000009A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 ae4bd1b16336e053a817a1bbad696120
SHA1 1ac2f5a2adfe10362b73545cc7b0a6c79ec07909
SHA256 475a21db48099a03e0f01f59447f925718bcfe1044f2ccb54baab2369a2d4bdf
SHA512 027ab2ed7aea37df3c708331d6ddb4bf61ae7f4d5f2bb4362cd520508d047258e6a5ffe511d62158b49ee825ddf09739fae01948e524090950fd1e6e8ae82625

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 a796a4e9bda2490e70607932e085e289
SHA1 58ae2353dae80e6499316336c58e902cd4ba9c4d
SHA256 0606cbaa53e55864bcb9e20f3426a2164734ea394ef14fd204a0a1431d10e575
SHA512 9c79d33ab16a6f5a0510ce9db6527cb50547f31003d7038713a9f800cce8b8f6f6cb2784ceb751f05036d6be6d42b98efa05718d632245a323b4ee8e06bb29f0

memory/532-295-0x0000000000A02000-0x0000000000A12000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 956a0460a4c142fa6b5c70dec0872af0
SHA1 aade02ab4fab13ef34a88fd87a92990c079541ef
SHA256 35dcda33197b4f6a1dc8a45dde2e9dd6d25b67d53b6369d6a1d6192292c7ca0e
SHA512 162b7721dfe4d2f11283bb364ed3704022c2bd5d43692997f1ead52959b31e1d4bc3ad0126f72b9e694de1e7125cdc2f711f13b2a26c2bda8cc386f1ae871b9a

memory/2712-321-0x0000000000900000-0x0000000000A00000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 fe3b3cbc34bba7a595ffa84ce906aff8
SHA1 fcfc5967cbf23df360952e4cbf37a23c3404e6b7
SHA256 bf6dde768f944e5bc829274a1c202e32c2e12ae1d16bc7a702f89dbb3dbf1d48
SHA512 09672aa9eb5164aa87cafde7a61d7980f6b15f6b1dd5b7c5e67105c8689f0e211ab989ecefab5669199733bce586e8cd7fab81a2593be726d69565e647d8a656

memory/3064-351-0x00000000009D2000-0x00000000009E2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 1ccf31bdd875be9881991f56c08408f6
SHA1 4aa6366088d353b1a06ec141481b863cd42c0a75
SHA256 74b214e76c8dae00ce66e996c9b7380dda5565eb6ec6806c7c50568614711fc9
SHA512 d3ad73d1f449eb75194688500d7f0d963b0579029338396ae1be19f07a6a831680e8770f4d3f1bba4743628e96d490e51427dabf9dfff0930fe6f8272f8caced

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:55

Reported

2024-01-15 05:00

Platform

win10-20231215-en

Max time kernel

297s

Max time network

304s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ff4b3cd0-a953-4de5-bc46-5112cba09b7e\\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3784 set thread context of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2980 set thread context of 3320 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 1444 set thread context of 4268 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe
PID 3680 set thread context of 864 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe
PID 3248 set thread context of 4264 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 5068 set thread context of 436 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 5040 set thread context of 2104 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 688 set thread context of 2860 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1492 set thread context of 2508 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3784 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 3784 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 3784 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 3784 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 3784 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 3784 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 3784 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 3784 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 3784 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 3784 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2544 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Windows\SysWOW64\icacls.exe
PID 2544 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Windows\SysWOW64\icacls.exe
PID 2544 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Windows\SysWOW64\icacls.exe
PID 2544 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2544 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2544 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2980 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2980 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2980 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2980 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2980 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2980 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2980 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2980 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2980 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 2980 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
PID 3320 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe
PID 3320 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe
PID 3320 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe
PID 1444 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe
PID 1444 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe
PID 1444 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe
PID 1444 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe
PID 1444 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe
PID 1444 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe
PID 1444 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe
PID 1444 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe
PID 1444 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe
PID 1444 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe
PID 3320 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe
PID 3320 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe
PID 3320 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe
PID 3680 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe
PID 3680 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe
PID 3680 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe
PID 3680 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe
PID 3680 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe
PID 3680 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe
PID 3680 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe
PID 3680 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe
PID 3680 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe
PID 864 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 864 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 864 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 3248 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3248 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3248 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3248 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3248 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3248 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3248 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3248 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3248 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4264 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe

"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe"

C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe

"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\ff4b3cd0-a953-4de5-bc46-5112cba09b7e" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe

"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe

"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe

"C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe"

C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe

"C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe"

C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe

"C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 1928

C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe

"C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
BA 185.12.79.25:80 brusuax.com tcp
US 8.8.8.8:53 habrafa.com udp
PE 190.187.52.42:80 habrafa.com tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 25.79.12.185.in-addr.arpa udp
US 8.8.8.8:53 42.52.187.190.in-addr.arpa udp
PE 190.187.52.42:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 196.0.202.116.in-addr.arpa udp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/3784-1-0x0000000000720000-0x00000000007BA000-memory.dmp

memory/3784-2-0x00000000021D0000-0x00000000022EB000-memory.dmp

memory/2544-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2544-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2544-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2544-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\ff4b3cd0-a953-4de5-bc46-5112cba09b7e\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe

MD5 3c2b31e7c091650e12934ee8eeaeeb58
SHA1 5848274e0b6da2d94d28b32314a5b9b56d2d7a5e
SHA256 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a
SHA512 fde24a46c657248611e27feb5835eb76e12ba828028b1ba514ff98cf5046f122d68e179923f6c52edec0c97edc578f7a6e0671eda12799ce4351f934db0d6100

memory/2544-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2980-20-0x0000000000710000-0x00000000007AB000-memory.dmp

memory/3320-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3320-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3320-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 57313eb3ffa096f23faa8ee3cafae685
SHA1 6de8364f5146921d7f2faa22a5c4927bf93d7634
SHA256 4de57d50cf948cd713380aab3a43b0e57c8c8313d891b60082c08f9cb2214abf
SHA512 97aaeab67fa1640a635e3af6900ef8f531bde377195fd76955c0fef6cf6d7ac1abebbeb881307cb20fa882941f414dacad5be945496a9b4f6b962f69f4bd0a65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 cdd2a66680e57ed3177202af8e0e3e76
SHA1 5f8cb7912c9122161fd49eb608a5722f37e0f0da
SHA256 d641ee5febeac49f522fb93abcf5e7fd0cbdd543f984cf27545ccac395135337
SHA512 55eaa6335b0ea858b3207e5197f340ab74b69596e1aaf8101c98dbd201d7ccd8823ebbb62ab92d420cee3bd120192f8ab9923c4c9e31b948f8a3e6cf22ed5c17

memory/3320-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3320-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3320-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3320-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3320-37-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build2.exe

MD5 c4070da9f9b0581171af16e681ccdff8
SHA1 3fb4182921fdc3acd7873ebe113ac5522585312a
SHA256 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512 c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427

memory/1444-46-0x00000000007A0000-0x00000000008A0000-memory.dmp

memory/1444-47-0x00000000005E0000-0x000000000062B000-memory.dmp

memory/4268-48-0x0000000000400000-0x000000000065E000-memory.dmp

memory/4268-51-0x0000000000400000-0x000000000065E000-memory.dmp

memory/4268-52-0x0000000000400000-0x000000000065E000-memory.dmp

memory/3320-56-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\092bdef0-490c-4c03-a841-2a658414b65f\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/3320-62-0x0000000000400000-0x0000000000537000-memory.dmp

memory/864-67-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3680-70-0x0000000000970000-0x0000000000A70000-memory.dmp

memory/3680-71-0x00000000008E0000-0x00000000008E4000-memory.dmp

memory/864-72-0x0000000000400000-0x0000000000406000-memory.dmp

memory/864-74-0x0000000000400000-0x0000000000406000-memory.dmp

memory/4268-77-0x0000000000400000-0x000000000065E000-memory.dmp

memory/3248-84-0x00000000008B0000-0x00000000009B0000-memory.dmp

memory/4264-87-0x0000000000400000-0x0000000000406000-memory.dmp

memory/5068-110-0x0000000000A00000-0x0000000000B00000-memory.dmp

memory/436-116-0x0000000000410000-0x0000000000411000-memory.dmp

memory/5040-139-0x00000000009A0000-0x0000000000AA0000-memory.dmp

memory/688-164-0x0000000000A40000-0x0000000000B40000-memory.dmp

memory/1492-191-0x0000000000960000-0x0000000000A60000-memory.dmp