Malware Analysis Report

2025-08-10 18:24

Sample ID 240115-fkgp1aafh8
Target ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2
SHA256 ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2
Tags
djvu vidar discovery persistence ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2

Threat Level: Known bad

The file ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2 was found to be: Known bad.

Malicious Activity Summary

djvu vidar discovery persistence ransomware stealer

Vidar

Detected Djvu ransomware

Djvu Ransomware

Detect Vidar Stealer

Downloads MZ/PE file

Executes dropped EXE

Modifies file permissions

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:55

Reported

2024-01-15 05:00

Platform

win7-20231215-en

Max time kernel

299s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0f7413d5-dbf8-480f-8a81-253200801500\\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2044 set thread context of 2920 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 1072 set thread context of 2792 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 2880 set thread context of 2612 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe
PID 1632 set thread context of 2144 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe
PID 3016 set thread context of 2640 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 540 set thread context of 1560 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1548 set thread context of 1784 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2424 set thread context of 1596 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 2044 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 2044 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 2044 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 2044 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 2044 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 2044 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 2044 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 2044 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 2044 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 2044 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 2920 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Windows\SysWOW64\icacls.exe
PID 2920 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Windows\SysWOW64\icacls.exe
PID 2920 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Windows\SysWOW64\icacls.exe
PID 2920 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Windows\SysWOW64\icacls.exe
PID 2920 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 2920 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 2920 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 2920 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 1072 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 1072 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 1072 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 1072 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 1072 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 1072 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 1072 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 1072 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 1072 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 1072 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 1072 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 2792 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe
PID 2792 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe
PID 2792 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe
PID 2792 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe
PID 2880 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe
PID 2880 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe
PID 2880 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe
PID 2880 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe
PID 2880 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe
PID 2880 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe
PID 2880 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe
PID 2880 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe
PID 2880 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe
PID 2880 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe
PID 2880 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe
PID 2792 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe
PID 2792 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe
PID 2792 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe
PID 2792 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe
PID 1632 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe
PID 1632 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe
PID 1632 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe
PID 1632 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe
PID 1632 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe
PID 1632 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe
PID 1632 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe
PID 1632 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe
PID 1632 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe
PID 1632 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe
PID 2144 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2144 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2144 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2144 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2612 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe

"C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe"

C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe

"C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\0f7413d5-dbf8-480f-8a81-253200801500" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe

"C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe

"C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe

"C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe"

C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe

"C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe"

C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe

"C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe"

C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe

"C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 1444

C:\Windows\system32\taskeng.exe

taskeng.exe {5B92BC40-6BB0-4D82-B9B3-2DE9574162AC} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
BA 185.12.79.25:80 brusuax.com tcp
US 8.8.8.8:53 habrafa.com udp
PE 190.187.52.42:80 habrafa.com tcp
PE 190.187.52.42:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp

Files

memory/2044-0-0x00000000002A0000-0x0000000000332000-memory.dmp

memory/2044-1-0x00000000002A0000-0x0000000000332000-memory.dmp

memory/2044-2-0x0000000001D60000-0x0000000001E7B000-memory.dmp

memory/2920-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2920-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2920-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2920-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\0f7413d5-dbf8-480f-8a81-253200801500\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe

MD5 b39217e76b21bf17052cd2abd00aef34
SHA1 31cf90601333cc6b46bf0a6b4cdd62cbdabf9067
SHA256 ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2
SHA512 bfc5d6b0ca0f841e8900bae346ab0f8e101f1bd5422c56704de70505e90c8f228d2a8ea5eff982a0fb55f4bd315cf71cffae021137a16f7446ad2bbed98e73d8

memory/1072-27-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2920-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1072-29-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2792-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2792-34-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab61DE.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d50df247a1329fd16d3cdee814ad86a
SHA1 52436ad5f62ba32e4245b0981be5441410b1d390
SHA256 9a4e395286911c33a19bb6c4c82c147e45f44845186856ad4bf7331d43ecbbdb
SHA512 69e6808f90c0c2e92d7cabd8a5ec459c6c35e8aaa6ea63a0e6762d213d6edd1c78bf58866cf814f0898a04d963a59c13ece05fca9fea028ba63643360370c8a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 9d58eaa6e3e7a9e97e94577582ecd65d
SHA1 3fff92118c1071d2a99be25e35260f9a13a97bb3
SHA256 0209941518fd4475caa3e834720805f6df75fa08e4a828f49ca218b56a672169
SHA512 060d9c86293d71850352dc6920f36310d8e1023b8e0a550d6c96deebda9f5894724155aad6db6235d675b719f9c4b1b3723ebdb2095fb2e977ffdc72ecf76d2a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 71ad60bb070402bdd701c9c2a5cdcfa5
SHA1 68216fbca63af8923a845365f36c181db5ed60b7
SHA256 06cbdd3453f54be2dd0e40232fc84a30807d1b9162647cc3ebf608c2a8a7d831
SHA512 4e6daa3f65b2a3b55a075741bceb0eb5bf64a6f0a7e1aa3140ed2d8a93443404c7599615780b757c30ad9f480eeae4e05a6e60b761db6c7d3434e871c0b55d11

memory/2792-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2792-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2792-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2792-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2792-56-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe

MD5 c4070da9f9b0581171af16e681ccdff8
SHA1 3fb4182921fdc3acd7873ebe113ac5522585312a
SHA256 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512 c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427

memory/2612-74-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2880-73-0x00000000003B0000-0x00000000003FB000-memory.dmp

memory/2880-71-0x0000000000240000-0x0000000000340000-memory.dmp

memory/2612-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2612-77-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2612-79-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2792-78-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar7917.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2792-115-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d137a38fdd6dde5bec62fa5889525f7
SHA1 bd0029e7dd41f3c938fb93ed18ce511a3b1a64ac
SHA256 c1017f73bea6d1312088cbfab8493e0147470f0f2a1b44ca2ab12eab8a6908e1
SHA512 b5d79b62abfeb50f086413b40db4659b7d2c25e20fbe9eea58d8be4109d6c92ef10928dbea7005afa9f6275c5331d4a8fa7349d238c0b801e007ac1408f81c4c

memory/1632-176-0x00000000001B0000-0x00000000001B4000-memory.dmp

memory/1632-174-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/2144-178-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2144-181-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2144-183-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2144-202-0x0000000000410000-0x0000000000591000-memory.dmp

memory/2612-222-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2612-228-0x0000000000400000-0x000000000065E000-memory.dmp

memory/3016-243-0x0000000000970000-0x0000000000A70000-memory.dmp

memory/540-270-0x0000000000290000-0x0000000000390000-memory.dmp

memory/1560-276-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1548-302-0x0000000000312000-0x0000000000322000-memory.dmp

memory/2424-330-0x00000000008B0000-0x00000000009B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:55

Reported

2024-01-15 05:00

Platform

win10-20231220-en

Max time kernel

21s

Max time network

304s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\81d357ab-cfdc-4212-8f82-4a1b4456f6e4\\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3288 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 3288 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 3288 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 3288 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 3288 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 3288 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 3288 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 3288 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 3288 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 3288 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 4460 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Windows\SysWOW64\icacls.exe
PID 4460 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Windows\SysWOW64\icacls.exe
PID 4460 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Windows\SysWOW64\icacls.exe
PID 4460 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 4460 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 4460 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 3924 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 3924 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 3924 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 3924 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 3924 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 3924 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 3924 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 3924 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 3924 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
PID 3924 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe

"C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe"

C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe

"C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\81d357ab-cfdc-4212-8f82-4a1b4456f6e4" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe

"C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe

"C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build2.exe

"C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build2.exe"

C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build2.exe

"C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build2.exe"

C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build3.exe

"C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1896

C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build3.exe

"C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
CO 186.147.159.149:80 brusuax.com tcp
AR 186.182.55.44:80 habrafa.com tcp
US 8.8.8.8:53 44.55.182.186.in-addr.arpa udp
US 8.8.8.8:53 149.159.147.186.in-addr.arpa udp
AR 186.182.55.44:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.202.0.196:10220 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 196.0.202.116.in-addr.arpa udp
DE 116.202.0.196:10220 tcp
DE 116.202.0.196:10220 tcp
DE 116.202.0.196:10220 tcp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 106.246.116.51.in-addr.arpa udp

Files

memory/4460-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4460-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4460-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4460-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3288-2-0x0000000002240000-0x000000000235B000-memory.dmp

memory/3288-1-0x0000000000630000-0x00000000006C4000-memory.dmp

C:\Users\Admin\AppData\Local\81d357ab-cfdc-4212-8f82-4a1b4456f6e4\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe

MD5 2dece59d47456dcebc1b2a838d6a0016
SHA1 fff2c2791c8ea2691eb74707cfc1284df2115a03
SHA256 43bbb2eb226c4630f1e31771c9679b3e44ea9303abcf486d616f49610e7b8454
SHA512 928ea5089f6bdfc6d2574c6e6d15db0aaac3c6075bd958cb2474e307b2bdedae4e1f413a664eb0bf4562780e5efddca30adad53b23b1e38c4586b6403d95ab5b

memory/4460-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3924-21-0x00000000004D0000-0x000000000056E000-memory.dmp

memory/3108-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3108-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3108-23-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 d3af9b175cc3f8660bfcdd19c712cdad
SHA1 c9ca56f1a94a13c4d1cc3126163af9e6f2f3a076
SHA256 cb566e8eb2007006130b213b6711338cb43aa1ffa3c8143a0cb9e72f0c938b17
SHA512 af82db0cc51c5eff897441c166313c6cd8871c843d6e99cedde3d79aa87a27c63145ebf43e519324b78f0b1f4ede2c722c8b11b341cfec35c8572f9e7729ae04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 8f338ad47439d6349242b9657e571cc5
SHA1 a0689579db1fef7704ba627c8a590a0f1f9d661c
SHA256 8725b41a81db65a6f38c4c9282300e3a541123594710d4940b15a90d8e2e11b1
SHA512 92e0648109d2c810930c678b58a77990082697c9db6acf5d296e7ef779bba748b1e8893f7ca32b494070570cd0670de9a4524981d1b91076c0857b2c08b3f0f2

memory/3108-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3108-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3108-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3108-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3108-34-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build2.exe

MD5 2e6c8168f3ec29356a8b18525ff08afc
SHA1 f81bee7e73f78eb6c574ce2255863df6f6b7d688
SHA256 9bb525624d28204af1f8813d411c66493fabc5f4bc5c9a0884c0acd9ac4a71de
SHA512 7e51885fe43bb0e3de31651c726ba32fe1a3787438f7ab92baed6e2f392d5c73d5bc2febf04a4147b9ecb3aff10cb69fb8ecdea64557a366cd9917c9cc0a6b46

C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build2.exe

MD5 28b9e1c1b007c047b29aedbbb1ebfff3
SHA1 61da7928d700065a97e9f633dd95ee1d4ffbc82c
SHA256 7d15d1e9286b8c4a1ca5617e175653e683aecefe18caa9825b63ec820a5e467c
SHA512 4ed25a90b6d7d4e8d40c558ad996446151a1557ee3df90c1c4c9373f7f4904e3f37aa3dc8a721e5cdd64cb70d24ea684d27b342d39f8d7a48d39b135c56fa4b0

memory/3260-46-0x0000000000400000-0x000000000065E000-memory.dmp

memory/4512-49-0x00000000005B0000-0x00000000005FB000-memory.dmp

memory/3260-52-0x0000000000400000-0x000000000065E000-memory.dmp

memory/3260-51-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build2.exe

MD5 c021b3be5c367bff4ca8b10cf151a15f
SHA1 583be865b92b60987828fafd78f9f5b5e740922b
SHA256 3c795d49379653e1b73db741ee512991ce5089c98bf191c874e9d320b804f36e
SHA512 14a3353acc2d32dbe67cfc012f0cc400a4f4a22a570ebb7c9fa654948df9bf74a4ca19dd807d16526b7115ae0ed288574c199fc454520be20e2f33cdc4dd2846

memory/4512-47-0x0000000000710000-0x0000000000810000-memory.dmp

memory/3108-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3108-62-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build3.exe

MD5 bcef56ee6402e0e79076fcb99f4b67ef
SHA1 26154ec5a86682c1225da1694cee50cbfd6a4749
SHA256 229756c13490504d00dfb1513b2c3b65d821efeeed598fc158bb63a261901ff7
SHA512 3e66ca457d9798d0d47efcf32e8eb2cb8fe620cfac97571840be377385e484811f9feef45a5d6386be5cb04009022053d820cf85a6e532d2fc69ce40e6c8dcd2

C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build3.exe

MD5 0f83fc771cbbfef7f95cb68ef1d8b7b3
SHA1 6f64ca26b670c3286cb109c39c049bffc202eaf3
SHA256 b4b252a675da42915cde3e95e1b0f65041d01f2c976ef9fe217baca5ccfc8e3f
SHA512 507b3823329167fb40e76c7c0c4f1469de44f63ee0c7eb6ddf5b3c5275230cf914cad69128e8ebd1efc9e6c30d8be4957de70bec43c75f94ee7b462120dd5618

memory/3260-66-0x0000000000400000-0x000000000065E000-memory.dmp

memory/3328-72-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 c7b702dede28ca9a1e8e557c086ba6e7
SHA1 388091a793128cbd7514e521804a28e583b3bcbb
SHA256 76719684366b0d68a57b9002f4d4006b2176a2043e6f77a145dbd2d094036ffb
SHA512 632fb2192b1a2d21fc82b09e9950006f2b1e1196f4b76b6aed86cdb36a540b9f0777510bda9aa6f4847db1fc64dd7aad549b1298037a92038ebcef75836f871c

memory/3328-78-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3328-77-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build3.exe

MD5 da7ba82e40c496e48e12b502087286ba
SHA1 c260140281e75f5d3e57077581ce91c97548738b
SHA256 657f831f8f69b8adf7b8c9971a08f2f628e5ea84c2c83a2091f4eea1ef87556e
SHA512 bacef7a362e066215a6848b5ae2bdc8954d67a59950f47f30855490558fa0f4258d2c9f2ac5dd448a64230d43f9f90d78fdbc684e25f853e3bcffcbed4f74903

memory/3592-74-0x00000000022E0000-0x00000000022E4000-memory.dmp

memory/3592-73-0x0000000000B80000-0x0000000000C80000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 a94e7615f4c24668378a5e97d9b6b8fe
SHA1 b32da33cdf349c677e81c6b3d1b6777610d17568
SHA256 f7b7ad907f11c46a4566ad2977d4fa32c1520ddd2b3dec237462add55be83839
SHA512 90ec35f717769ca98a023ef35cccd773d87556ead9a5b091360d39c315591cd3395b6017bc61220f605dca97704e97cef693318ea9e3e5443517d099fbef56fb

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 283f17ca750ff66f240dfe0de9b768c9
SHA1 052ae6113aeb38e6cb6c6133bcecc9d695b7458a
SHA256 ef7eaad3412f9ad12002f61a2916d1a3fc4505ee3fab7b170cde7232a80625ae
SHA512 25ce28aab4f0dd2806a10c7ef66a404b75ee557a507ec3b27bd76dc5cb1166620c67be2c3a83add54958bc845cf95973be4a70e7d3a11a99008847edbe5ae623

memory/4124-98-0x000000000091A000-0x000000000092A000-memory.dmp

memory/2836-101-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 d35c806c95b926208b06f305860de044
SHA1 fd111b2072749c0e2b3f1bb7102e4fbcdd8b931b
SHA256 722325dfc7e0a3d8b9c5bcf978e54f9a90a83ffa5d14372a51dc7c3609fee061
SHA512 cb5f66f83bd6a8ddad6d740479d17352d3a8249ab6fec7ea0ee071dcc7f9855ed378dee61bb65e92d272e3fb8187282ce08d0694550cfa610bf6e6508ec5b6a6

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 718368af88a90b1467b5b28748461bde
SHA1 6057131857069ac4daf41e79af69ee388de86d91
SHA256 09262122f3a54a6f4833722a0bb2fd46d70cbca7f0b390458e3efbb1f71dedea
SHA512 c5952de7a6e264d7260bd1959d82ae2b6c8548e8bc91418eee64af9741868c4cef7eda54974cd123a82c72dce9c1b9776458e793037f2d60002a44c40f18040e

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 4dd1984009b5b727ff260df88a694294
SHA1 512b062c425cf935f076e33fddc8545da773eea5
SHA256 b4a4f5008e3d37301e7d70ee2339ce62c61e0fa37047c3e4857e3ecf10a2d67c
SHA512 6d541949369698d86168685ed6c8997388f18fd7e82213c9ac47643ad79da71b67138407a420dd924d7c3622dc56d89d68b0cc715a2ef76adff9b13cf3c07e93

memory/3180-123-0x0000000000830000-0x0000000000930000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 02d15f85aa142d0aa649bf142b370a35
SHA1 d4981695443ec99304c6ee4676eb14808038a4ff
SHA256 8f5ab238564845961c6646e8b84e07efddb86ecc611be8d00a776f3bf0a37e14
SHA512 a10d43113d41d9a7e01d14629be18d91fe0849fca81082c94ba6dcad884c5a69b6897f9ab4a987768f186d6eba092ee7634193c2bc4ce2e1734d4dbee11e9bda

memory/748-150-0x0000000000A60000-0x0000000000B60000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 a5837628454c64dea0992dfc2cf195ee
SHA1 a4fca069a1f8e71c90479531e5f78ece0fc891b0
SHA256 c3af6a8344eb098ad1861121454083231d6e53a462eb4c233f4ac7f0575f12e5
SHA512 87a5514e5965aa799ee87c3f24077651c2d58f4c31725ff60c296c102a89ddd50ac2fd1bbb73ad62694d89053343a2b13ba46b7b0b02cb9a0e737adce9189115

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4228-175-0x000000000088E000-0x000000000089E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 7dec4e41e8e020c2dfbc0f848e7aacb7
SHA1 72857096b202b1096af43c9463488f855479345e
SHA256 42fe0d1ff80578ac6b4bd0c4f727b9226287d842db1180a25247f717eef3c32d
SHA512 98ac424d5c31dfc9d193ac8b5fab82351add800f3204b0bebbec3c48f0cdfebf18ec15962f78992af5c9945daa3f101f045790491b3e9b165190e5fd0069a3ce