Malware Analysis Report

2025-08-10 18:24

Sample ID 240115-flwkjshgfk
Target cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20
SHA256 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20
Tags
djvu vidar discovery persistence ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20

Threat Level: Known bad

The file cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20 was found to be: Known bad.

Malicious Activity Summary

djvu vidar discovery persistence ransomware stealer

Detected Djvu ransomware

Djvu Ransomware

Vidar

Detect Vidar Stealer

Downloads MZ/PE file

Modifies file permissions

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:58

Reported

2024-01-15 05:03

Platform

win7-20231215-en

Max time kernel

300s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\35536c4d-a176-40a0-8026-fcb91feb54e7\\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2444 set thread context of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2556 set thread context of 1712 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 460 set thread context of 1892 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
PID 780 set thread context of 3020 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe
PID 2320 set thread context of 2820 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1908 set thread context of 2844 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2096 set thread context of 2460 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1996 set thread context of 2520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2364 set thread context of 2508 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2444 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2444 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2444 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2444 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2444 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2444 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2444 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2444 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2444 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2444 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 1744 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Windows\SysWOW64\icacls.exe
PID 1744 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Windows\SysWOW64\icacls.exe
PID 1744 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Windows\SysWOW64\icacls.exe
PID 1744 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Windows\SysWOW64\icacls.exe
PID 1744 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 1744 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 1744 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 1744 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2556 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2556 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2556 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2556 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2556 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2556 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2556 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2556 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2556 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2556 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 2556 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 1712 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
PID 1712 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
PID 1712 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
PID 1712 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
PID 460 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
PID 460 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
PID 460 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
PID 460 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
PID 460 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
PID 460 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
PID 460 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
PID 460 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
PID 460 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
PID 460 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
PID 460 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
PID 1712 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe
PID 1712 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe
PID 1712 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe
PID 1712 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe
PID 1892 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1892 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1892 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1892 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 780 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe
PID 780 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe
PID 780 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe
PID 780 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe
PID 780 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe
PID 780 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe
PID 780 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe
PID 780 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe
PID 780 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe
PID 780 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe
PID 3020 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe

"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe"

C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe

"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\35536c4d-a176-40a0-8026-fcb91feb54e7" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe

"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe

"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe

"C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe"

C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe

"C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe"

C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe

"C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 1440

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe

"C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {C6C3ADA7-8755-4AF3-8ACE-6C635FDFFBB9} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
MX 187.211.34.211:80 brusuax.com tcp
AR 186.13.17.220:80 habrafa.com tcp
AR 186.13.17.220:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp
FI 65.109.241.139:443 65.109.241.139 tcp

Files

memory/2444-0-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2444-2-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/1744-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2444-4-0x0000000001E90000-0x0000000001FAB000-memory.dmp

memory/1744-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2444-7-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/1744-8-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1744-9-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\35536c4d-a176-40a0-8026-fcb91feb54e7\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe

MD5 0407f464f5383cc888945bda2afa42c6
SHA1 92de3404b2b42c0460565201ceaf2669bd6fc149
SHA256 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20
SHA512 39aabd70c7065714718c0cb91795b1e690972780e1c118cb0f71f7f481f889f1df36b2e4b17b2e791ac8ef477c69f412a00f51bde9eec9e3c7531498c5586e50

memory/1744-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2556-30-0x0000000000350000-0x00000000003E2000-memory.dmp

memory/2556-31-0x0000000000350000-0x00000000003E2000-memory.dmp

memory/1712-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1712-37-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27ec60a3bed94dbab817f3dcf9821b33
SHA1 d46144afb0108db96b2ce2b2807e8b4fd0781c1d
SHA256 dda4f6a36ec887cae4f6e0a95a40c5d910694a1eb249058f7c631fcb7383a0cb
SHA512 7b19af41ce333088af01c4d41d9ad955962ae4d1afc9f266a66a783edee786ff1469b5e88642abddf5f73e6ee17e0771e6aabb7c082c365a51d3a6884bcd0db9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 acc3b3a7bf98e84476341e314ad146ec
SHA1 581092994fe3ced61b0bfc2fd08b5c6d19cf64f3
SHA256 f608847636ff9084b103f84ece698d7b9e75159000ab09727278c394e79f0f17
SHA512 e8ac9ccd29bdb85881df9ff5c745a063190293012a703c411ab00bc9598712fbfeba424cbc416e1bb941ddc55b077f4e209015595b5aefdbcdfa1fe80f732b1a

C:\Users\Admin\AppData\Local\Temp\Cab85A4.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\646C991C2A28825F3CC56E0A1D1E3FA9

MD5 cee70d925ec26494b55db142979f9771
SHA1 58bb5093be0bb5228921aaf5ce3037b4fa9d3980
SHA256 4a10d2fcd6f33ba842e1bf7ab2b5823a907ee994a2ee65d1edc4244d9f8d5952
SHA512 3afadfb767b38553b4ab1bd00d7c8c3212f10ac5fc4e4124aa6e435ee6295b6b5f5d23f673ce382b389aea8854ad291278652c5daa2607200fd20d357eec6cb8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\646C991C2A28825F3CC56E0A1D1E3FA9

MD5 2075f9b81f3b89bc359ddd10eb29c1b6
SHA1 69733862e65ea3005862a4357e571d9543e33306
SHA256 8e7c9a1f4f5b48e680f0ea9151bb5e7e2f4eb66249a49a7e0873f48635c5d1cc
SHA512 d1eaab63b2d8d25d5b354e7bb7c1adc03423dc174216b28862cac61d201b12ffa6f0d1e8801f3ca5873c926d836fc68cb106fccab325f07c3dd4f81e7f05b58e

memory/1712-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1712-51-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe

MD5 d8f59424e90c3fb666b9c69621b3200c
SHA1 c6970940803091ec0a8521427c16379d8c14f93c
SHA256 0ca1ea49b54d6fb09d0630e49d46f309b23add4724c39bdd6fdabd6e2521a938
SHA512 bb3f632fa666319040a3dae1182ad03105f02955fb58a39fa45bbc05efa65db47f5b695f7182c53e94726f0c55cc825c318ccc33f4e06e4b6879b466166d4642

C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe

MD5 0c13b03f78354853d7fab5ead0aacaf5
SHA1 de1a826d45d946628defe2fb4469dc826c789623
SHA256 e7d5595e743ccb09c252fcd303ce114113ad07d7a269e78ba8549e9191f11680
SHA512 e6450e86928b6c652502a435d683c1e2452d5aa8253f28a8c49e252af88890fc03afbb230bc48050b41840c5685f65003667c32bf01ced67e86ac304b87f0b80

C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe

MD5 e51304578e508331130726d2be7e9d05
SHA1 79a17471121b0bc74558341991fcb5bd6ccc9336
SHA256 464a39529e7925d347735285e3543bdc47bea6e7baab2109d78ee068e0075cc7
SHA512 e3d4b30de3f45159031c6e304f2caee1c540b1404910e9d6631b12e92fce0a6f43bdbd26e3b717f4b18946ab7065beabb1dc1e435f48fc5b520cc4b8974d064d

\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe

MD5 6b06728dcd7777de5cff4ae45b28b9df
SHA1 74eadcd6113b4849d0b4d32bea97011fde24bf0a
SHA256 84fee44d4b32ec980b01c0f9018c7a2463c6d57e9577738bb4fa10c74df732e0
SHA512 de9681a646fdd81c4ce2fb0e798c95bca311b004bed1615616001927f9a822419b881ad3fd910ddcd144cfdbcf65a22d8a0c76f6c97b75f23c829559bf699af2

memory/1712-70-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1712-71-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe

MD5 24c414ade6fb8205b51d115f0069e2a3
SHA1 c8a2547d574ffc3b0aabffda383f15cf517502cb
SHA256 10489e3ccbcb177219c60954bd85baa2c8579d0011b8b9ba85413a435a143d8c
SHA512 bdb8b27b0bfccee700331998ed1a721eac5e04d4c78f9ace8830dc32e45abcd447f51479db30a59327c5002be0c1def580d8872b9abff89a6a275ca2821cea5f

memory/1892-76-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1892-79-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1892-80-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1892-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe

MD5 d8c02a7cabb050ca8f107d2587fca2d5
SHA1 be1e55d2e182de6818119c8edd9898710675a810
SHA256 7727181ee888cb76bebaa4e2e5ffcdacf625f179204d290c56be36b98e59be1d
SHA512 dd444a870e24f8753c4947070e21f7b5c03110afdd572967f115fe43e41cebe11e314d01608b11712d904e56b6c646e6d88c1ebd913cfaa2cbacb87b5fb90ff3

memory/460-72-0x0000000000260000-0x00000000002AB000-memory.dmp

memory/460-69-0x00000000005C0000-0x00000000006C0000-memory.dmp

memory/1712-67-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar9AE9.tmp

MD5 feca4b6542bb2aebd3bdd15750663ad4
SHA1 d6761816ae701718ff76c6c56d0d55c1af9ebc68
SHA256 3a0fbefd1a4682ae252bd22406837bc9797a90dba8e8e41b359ea78fef7d9d9e
SHA512 a617d6f210d3194654d74635888c9dee6dd4856f3e98f1cf7d39001e764afe51b4ebd709bd667577406e60918e6e4c923ac7a16945428ba9f1dff9e44cb26731

memory/1712-88-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 143afd374220a299e436105607ffc1fd
SHA1 c24ee962c2c182708cfbe07501d6e217002b3b2b
SHA256 2c4d2fb3aa417b87bfd0db2973231ce3c3bae3f65f548b7e95f1dd1e7f80d0b2
SHA512 56d671d4dce74862e1121978d6fd4e8b7b5c9d3323bc65f2ca9ccd28bdd4db6f0a49d8feacd589cc5a368faa9dfec9b9f7572416bffa3f9bcdc00d8d75ef5b32

C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe

MD5 25898ed865c579ca2ed4891f0aeb5fe1
SHA1 a9ec7a581afcfa32a32f76e1ec967d89ca20986b
SHA256 9da051ad6f9887716b18a3f72583be38466eaa0b91c9900b7a5cafab4497f609
SHA512 1d4d8e9a7b8b0b573b764e51de65e42000712af830765ebc33313036fa5828769cf05c234d7a9be8f3cacb13ddaa4804953c9ff0d30d6997b2e30f7690d72420

C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1712-189-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe

MD5 c4070da9f9b0581171af16e681ccdff8
SHA1 3fb4182921fdc3acd7873ebe113ac5522585312a
SHA256 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512 c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427

memory/780-221-0x0000000000332000-0x0000000000343000-memory.dmp

memory/3020-225-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3020-223-0x0000000000400000-0x0000000000406000-memory.dmp

memory/780-222-0x00000000001B0000-0x00000000001B4000-memory.dmp

memory/3020-218-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1892-227-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2320-238-0x0000000000C72000-0x0000000000C82000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 7e9ce13d746bca63a59bb71a9269cb35
SHA1 8e714c94724240c5c4cf7576900e053e97d5f231
SHA256 6caeae151bcc766b1974f89f78af7e2c4b885d33790f3b4e4780519b8a0ee1a1
SHA512 5223fac391d9fb9c349d2d61d5acafa21ff159ffe8a09001238c810df87898b7e93b3da923dac180ae66d87d556fa579509c14c84800b8a136c2bc9783fded22

memory/1908-268-0x0000000000930000-0x0000000000A30000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 b059af3512fab9c1c09238bb8109af7d
SHA1 40bf492b167e4ebf722552a4b353a72434c7627c
SHA256 e5397de9e746e1dfacac4384375644198673a6dcba7555b2637a50d7089f9a41
SHA512 f85db6d6f541b7597900a6f5ab3e7238a95c7fceb4fb00326fe462192688d1c6617736246c40813636722322d00447b3bcd62a008315adc1527971cb38146d6f

memory/1908-279-0x0000000000930000-0x0000000000A30000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 b9ebf5ac057c579ba372de8bcfa530cd
SHA1 a77f3daa35cdd4fc4488f79af562a6800d190323
SHA256 78b9ca31bfda7243bd574d12d1ff9753d7980d0ce0a8dbe2d2293d9baf7ae17c
SHA512 94e94fc7b6013eef863d469ae69f2b30814b3731f8106837d7ee9c74e69f7a101a697b98a00040b7ac3b6173ab9687160344e0291c6a9f462b78b7a9618a444e

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 46615ac34b4515c1b4fcda5063d4734e
SHA1 29d73e883a9ec2a06665b1e57ec783340af3f065
SHA256 1e1f96b2bd1b012233e50aad97d36eaab71cb39f67fbabb7f42892e303bf4752
SHA512 27fe815f40a968916cdc07d502edeb24d07d88173c8e0576a017808f72de551d8512a0cb9dd932b80430ad525f1cbb1859325fc43b411ea42e0e0d93a08aa67a

memory/2096-294-0x0000000000980000-0x0000000000A80000-memory.dmp

memory/1996-328-0x00000000009A0000-0x0000000000AA0000-memory.dmp

memory/2364-362-0x0000000000980000-0x0000000000A80000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:58

Reported

2024-01-15 05:03

Platform

win10-20231220-en

Max time kernel

296s

Max time network

295s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0ca184b1-f8d1-4848-a898-ec231c7e2c84\\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 308 set thread context of 3272 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 4752 set thread context of 1152 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 1084 set thread context of 4812 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe
PID 4980 set thread context of 656 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe
PID 2244 set thread context of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3056 set thread context of 4112 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2068 set thread context of 3224 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4784 set thread context of 2400 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 308 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 308 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 308 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 308 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 308 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 308 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 308 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 308 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 308 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 308 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 3272 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Windows\SysWOW64\icacls.exe
PID 3272 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Windows\SysWOW64\icacls.exe
PID 3272 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Windows\SysWOW64\icacls.exe
PID 3272 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 3272 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 3272 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 4752 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 4752 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 4752 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 4752 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 4752 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 4752 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 4752 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 4752 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 4752 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 4752 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
PID 1152 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe
PID 1152 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe
PID 1152 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe
PID 1084 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe
PID 1084 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe
PID 1084 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe
PID 1084 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe
PID 1084 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe
PID 1084 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe
PID 1084 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe
PID 1084 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe
PID 1084 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe
PID 1084 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe
PID 1152 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe
PID 1152 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe
PID 1152 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe
PID 4980 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe
PID 4980 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe
PID 4980 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe
PID 4980 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe
PID 4980 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe
PID 4980 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe
PID 4980 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe
PID 4980 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe
PID 4980 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe
PID 656 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 656 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 656 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2244 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2244 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2244 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2244 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2244 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2244 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2244 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2244 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1796 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe

"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe"

C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe

"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\0ca184b1-f8d1-4848-a898-ec231c7e2c84" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe

"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe

"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe

"C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe"

C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe

"C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe"

C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe

"C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 1892

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe

"C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
CO 186.147.159.149:80 brusuax.com tcp
US 8.8.8.8:53 149.159.147.186.in-addr.arpa udp
PA 190.218.35.224:80 habrafa.com tcp
US 8.8.8.8:53 224.35.218.190.in-addr.arpa udp
PA 190.218.35.224:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 196.0.202.116.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp

Files

memory/308-3-0x0000000002180000-0x000000000229B000-memory.dmp

memory/3272-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3272-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3272-2-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3272-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/308-1-0x00000000006F0000-0x0000000000783000-memory.dmp

C:\Users\Admin\AppData\Local\0ca184b1-f8d1-4848-a898-ec231c7e2c84\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe

MD5 05ddd0423edaa09a6cbf5c74009f8320
SHA1 b0c3d52b01e9648091a76109b285594efa69a88e
SHA256 77d58941471464e62191521db914250ffbff12dbe0cb59c6d4fb9c35f9d9c4de
SHA512 0634e756f5e945975b4920aed6bd5e99a4b9b2f077423f0ae960c460c2608672b274b67c19885342f83122c9fd9f2fb6fd77bbffa3fad7cb33a402972fe78a32

memory/3272-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1152-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1152-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1152-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 1e7a741c654eefa9b727007204b618ca
SHA1 402f6317db245b32f588715e777c5332376f8657
SHA256 93fd640a2e477ecce0b855f2e14bafbffe8b99edacc4bf6286f5affb547c9bb5
SHA512 c77206c96be186be826cd8846b7b5776b0611593c80d76ec3013adcfafb32ce8171aa9c4b6e0ef953c45dee0fafee1caf24d4ba61d58705d0f91eb8e4d3400ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 540a525ffcb6adde1143935b0b511f8a
SHA1 340effb7c73f3e55693aca20da3df37f731eef30
SHA256 d2ecd05737ef0b704c57a8bae19800e0e8371c462b4ca9885b5f5a215b0c6138
SHA512 3eb858280f5db3b121482fca7f2ec6cd1d91e96235fdd6ce557befaf233521764a2f0acd393ead6cd7f2e37ad4b988da2fb7e0cd5b167cf657522377280b5dd7

memory/4752-20-0x0000000000610000-0x00000000006AF000-memory.dmp

memory/1152-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1152-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1152-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1152-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1152-34-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe

MD5 3b68b0988c7c4a357269f04c7740ffdd
SHA1 f2a95436364eb11212124cca5ecbcc67106bee11
SHA256 14ebb7750d68b3ef8ce582ea8130c325b419b033a2b1268146407a98862c911f
SHA512 f0e5683366dc1aec6fa12185de707d8c3f713168e192ad20835a441166fb5e3bb316751e3e2009761a63a955f1891d5b8f4a94e2f64ce14d8b5478596ab04f82

memory/4812-52-0x0000000000400000-0x000000000065E000-memory.dmp

memory/4812-51-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe

MD5 245d3e63bfa3faaf90f5461a730f0c6d
SHA1 14f3d81e55216c1311a5adb9926f370dd1fea64a
SHA256 41a0b4ce4aa044feda4d84a9010f66a1b135a59a9daae510e63191a3d922d429
SHA512 a585e38181e15f6769c8a09c50f94f85550ad1854dae0bbc69894664a8062ef30832c9a41093a0e1f24521673ab88fda5ad4fc20d1db7b0129edf7b81322cdb2

memory/1084-48-0x00000000020C0000-0x000000000210B000-memory.dmp

memory/1084-47-0x0000000000690000-0x0000000000790000-memory.dmp

memory/4812-46-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe

MD5 387a5267ce9252f07afd1748d49b9303
SHA1 2cbf78869ad9664e98a83d6c16e288b9ede47161
SHA256 cf65da08b8bd5ea5ae0682e7e529b3ceeb0e9594ead2916fdfd15fa352b8a2aa
SHA512 a7328aa660eb231b7ff55e7c0459a114e26ef2f7699298b4e165907c41716d77a0f54ed369666e533fdc57f822271689c964388122ac7b781b91729160c2fb92

memory/1152-53-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe

MD5 8b6a819c6926597dfa7529b692d7a6cc
SHA1 50c535e9cca464afd3a589d2231d87ce417d4312
SHA256 b9cb5501cc2d257e049e1757062523c7f9ee5a85d57d46538fe492125befd26c
SHA512 dfd28b270d99ad89f8ce1df9750b92ff558f73fe2448bf182b5c1c05c7b180bb29175eeaf5a7c918791d64b36167fc1a6044f1aaff838e02e878782f5f6c0ba9

C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe

MD5 91de23a7727e24707ef31505e5406229
SHA1 1a0e8b9481e69cc736720ddf888c092364f63526
SHA256 3c89aa802e2ea458c588d2c1c7f4c8b5b624d18a374b3f5a84a46550659301bd
SHA512 87314985d3ee3a5c4f433b8f90153a193246eb4ca457748e03bb8fb77904d7d3aa7d5e77ad77967d76652592261481eef6dd8c64ba3fecbcf173472a5e6bfbfc

memory/1152-63-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4812-66-0x0000000000400000-0x000000000065E000-memory.dmp

memory/1084-69-0x00000000020C0000-0x000000000210B000-memory.dmp

C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/656-80-0x0000000000400000-0x0000000000406000-memory.dmp

memory/656-78-0x0000000000400000-0x0000000000406000-memory.dmp

memory/4980-77-0x0000000000990000-0x0000000000A90000-memory.dmp

memory/4980-76-0x0000000000940000-0x0000000000944000-memory.dmp

memory/656-73-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 8caccc4fa4b46aea14789b8c8731efd6
SHA1 b7be0236c27062a16dd4001a08ebf25c6984a8da
SHA256 43652d84b0d6298f1b35413a2d852478ab98f88b4d2031e3f9037dc3fb647cf7
SHA512 5518112caed39e4bb86b14e6a3d7c662a40a4bf2ecfd75690264b35c479528cf550d550fdec090cfc40c01c6e9d04728ea5164764f7c61ed8783d2caa9c7cb1a

memory/4980-89-0x0000000000990000-0x0000000000A90000-memory.dmp

memory/2244-102-0x0000000000B50000-0x0000000000C50000-memory.dmp

memory/3056-121-0x00000000008A0000-0x00000000009A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 e074f8da75ef09866529487f5d50c59e
SHA1 b01e28313bd9840f7a2ccaf1d0a47c6eea03166b
SHA256 2c6ec851fbd8a7f585338fecb64511ac2b1ea44e23041685f6a4842a36a2f664
SHA512 754431ff1292e444b17e93d323fe59a44aa2f28065fb4496515babe3344a5d6aba6f78b04ac8413294bc3a8c88f32fec9e43b07ac6f2bb03bbc457957b0f073c

memory/2068-151-0x0000000000960000-0x0000000000A60000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 7471fcc591953f745af5feaf8c146cb3
SHA1 a638f5a482ccf0360f95a81e203b0033bdef8746
SHA256 140c464d8989aeb4dd6eca04a9c2d3b2098a90234afddae55b24e477bf48a83f
SHA512 5644104a0f9b3b5f38fb38a436eabcdf96c22665f863155f2e280a781e7c95dbecf2d6aa0a5847c4287634473bf57f7bc673ff66bae1d566137429044bf4d2d5

memory/4784-178-0x0000000000820000-0x0000000000920000-memory.dmp