Malware Analysis Report

2025-08-10 18:25

Sample ID 240115-fnhfpsagg4
Target fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581
SHA256 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581
Tags
djvu discovery persistence ransomware vidar stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581

Threat Level: Known bad

The file fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware vidar stealer

Vidar

Detected Djvu ransomware

Djvu Ransomware

Detect Vidar Stealer

Downloads MZ/PE file

Executes dropped EXE

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 05:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 05:00

Reported

2024-01-15 05:06

Platform

win7-20231215-en

Max time kernel

294s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b54d97d1-676a-4426-92a6-fafb184e0c36\\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1888 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 1888 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 1888 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 1888 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 1888 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 1888 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 1888 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 1888 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 1888 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 1888 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 1888 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 1992 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Windows\SysWOW64\icacls.exe
PID 1992 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Windows\SysWOW64\icacls.exe
PID 1992 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Windows\SysWOW64\icacls.exe
PID 1992 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Windows\SysWOW64\icacls.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2784 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2784 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2784 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2784 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2784 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2784 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2784 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2784 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2784 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2784 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2784 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe

"C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe"

C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe

"C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\b54d97d1-676a-4426-92a6-fafb184e0c36" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe

"C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe

"C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 zexeq.com udp
KR 211.119.84.112:80 zexeq.com tcp
KR 175.119.10.231:80 zexeq.com tcp
KR 211.119.84.112:80 zexeq.com tcp
KR 211.119.84.112:80 zexeq.com tcp
KR 211.119.84.112:80 zexeq.com tcp
KR 211.119.84.112:80 zexeq.com tcp

Files

memory/1888-4-0x0000000000550000-0x00000000005E1000-memory.dmp

memory/1992-8-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1992-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1888-6-0x0000000001DA0000-0x0000000001EBB000-memory.dmp

memory/1992-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1992-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1888-0-0x0000000000550000-0x00000000005E1000-memory.dmp

C:\Users\Admin\AppData\Local\b54d97d1-676a-4426-92a6-fafb184e0c36\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe

MD5 571bf691b597dc10811db287e2bb3048
SHA1 ecb334238098a80c3b1fb36c496510db30a13218
SHA256 daf909e59171558f7f73cc7f2809c967e587420872c8399ebe1593d8b0bf60dc
SHA512 06079da9552ec1d477589ed01db6182e7db82ec36273938f7dc09b6661412148467dfca5bea5fa8a4834d2ec3c9c28287e99835644d26154e60deaf1ee8158cc

memory/1992-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2784-29-0x0000000000240000-0x00000000002D1000-memory.dmp

memory/2784-27-0x0000000000240000-0x00000000002D1000-memory.dmp

memory/2724-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2724-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2784-34-0x0000000000240000-0x00000000002D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3276.tmp

MD5 2912bdef520e7fc7ae80f4acb3d3330f
SHA1 34cc39fe6994f3f562663ec2eef5e7c39b833827
SHA256 7508c5d1834f752074ec8cc63783468914b82595c25e9c7a61eca45ca0a030ec
SHA512 1e074916137f50e3fdc3f316726d71ee6767af316df9197af1bf6a7ef7e975cbe049e47c000544816c53d19f0951b917b0b9fe3a660ac9bf3083c50428d8acd4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e40ef7ac7b65a13dcda932dc803a497
SHA1 8068d60cf79b3d63a5a8c69e59a019e7cecadd7e
SHA256 9db0c0029fce81b798402b00d62557af5df52505f3426077a10e8695a8bb969e
SHA512 801788312242832079def7999cd1f19a86eef5f76ac7911eacb3ea42aa613e552d1e66b9d55544e5cbb8cf611e3881977ff14a19c3da3726cc7db6452af0fd39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8746f11e4cf6a7e5b3b9833b4439da12
SHA1 3f2a64922f41325d34ee34dcf969e4eb7d5728f4
SHA256 29eb9d8f366602a1879ca986fad4fffa3954b28a19580b3a6d27a20a543e3d35
SHA512 f19066b4542b4c8c982fc336df1164c21f2c304b248ef4458ef3f625a06d051945e66972ff2823a11cd147ed4e3eaf59198449f8543908ddd281cacfcf424f57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

memory/2724-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2724-49-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 437d1a402b4122055542b07ccfb3d97c
SHA1 c4e8b2b613619f530b03c5cce2c58e00eea1f67c
SHA256 8ec08720e53c93965d9c2ba48b505e16218b6e0fc4dab544dfda3b119c55137c
SHA512 485a6bf7a0de2d1deeed64d9fdec02209d410a5991b2d2522be3c3d2d62649a7b1b7b57e87bc0588099a42cfe72affe5aaabf25104ebbdc1b34a06ba7dc7ae0b

memory/2724-51-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2724-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2724-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2724-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2724-58-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 05:00

Reported

2024-01-15 05:06

Platform

win10-20231215-en

Max time kernel

297s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Vidar

stealer vidar

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\df201177-d6f1-403d-82c6-f32c0a856607\\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2980 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2980 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2980 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2980 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2980 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2980 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2980 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2980 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2980 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 3656 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Windows\SysWOW64\icacls.exe
PID 3656 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Windows\SysWOW64\icacls.exe
PID 3656 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Windows\SysWOW64\icacls.exe
PID 3656 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 3656 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 3656 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 3540 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 3540 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 3540 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 3540 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 3540 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 3540 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 3540 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 3540 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 3540 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 3540 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
PID 2956 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe
PID 2956 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe
PID 2956 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe
PID 3856 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe
PID 3856 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe
PID 3856 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe
PID 3856 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe
PID 3856 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe
PID 3856 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe
PID 3856 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe
PID 3856 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe
PID 3856 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe
PID 3856 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe

"C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe"

C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe

"C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe"

C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe

"C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe

"C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\df201177-d6f1-403d-82c6-f32c0a856607" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe

"C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe"

C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe

"C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 2040

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 zexeq.com udp
BA 109.175.29.39:80 zexeq.com tcp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
KR 211.181.24.133:80 zexeq.com tcp
US 8.8.8.8:53 133.24.181.211.in-addr.arpa udp
US 8.8.8.8:53 39.29.175.109.in-addr.arpa udp
BA 109.175.29.39:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 196.0.202.116.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
BA 109.175.29.39:80 zexeq.com tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
DE 116.202.0.196:10220 116.202.0.196 tcp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
BA 109.175.29.39:80 zexeq.com tcp
BA 109.175.29.39:80 zexeq.com tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/3656-1-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3656-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3656-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2980-4-0x00000000020C0000-0x0000000002160000-memory.dmp

memory/2980-3-0x0000000002220000-0x000000000233B000-memory.dmp

memory/3656-2-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\df201177-d6f1-403d-82c6-f32c0a856607\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe

MD5 771d9306b4cfbbca7c47f52ab6c40217
SHA1 5fbc05a8d829f061775e041a41b032e9e8cd2dce
SHA256 08f08c53c8388a075cb7ba93f5336d5827b525da351c24a4706d9aeedf72dd71
SHA512 5b211651d74f5417d702072af374295dcd2a0f1fde0f70c1cf25282b74c639e3d5ab5a9f7bf89e8742053bc947f1a3853fbf2352356c3729fc0448fdc18b5a60

memory/3656-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2956-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2956-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2956-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 f92c0b93181f7682f6d77f8af3c36499
SHA1 75ab8169f3957329255f22303745e70a074d59e6
SHA256 39720551284c236816ee58482891e249769855ea82ad359d40dff9179a165bb6
SHA512 ebb03769bc7647289dad0ea98e9a0b487739c1f7c46fdd16fb2264c2057a4a63419a3a725b7d39ad7ea8835e52589cbd9b624b9d72cc917377ffac2407f7b1ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 dd10d0917a6de815007061ceab2f9858
SHA1 45c2e20bf6253438ba7b8d6147aa73c35d62bf5a
SHA256 4f260fc725d0e8dad1707964503ab9abb6c7875a3de8cffe90d572f772bf98c4
SHA512 f492933c212806a315af8712235ab901c491ddb505ef514d74159c7600eb17998df841a6b342d99b95ab8ec46ba64aac667455e48f8a377ac83c03a9ba39c356

memory/2956-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2956-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3540-20-0x0000000002070000-0x000000000210C000-memory.dmp

C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe

MD5 29d75bd1a91b7cdeb73fc2f227d0a7c2
SHA1 28cf770aead8400153666bf2a4537053eb187269
SHA256 13c60a54b695c2e13b21f95ea38198f8294b8c9561117bd0981b68bd6ca805c1
SHA512 1bc4ea86d464f7befc672b8ca351ddedf9d405153b5d23e8531f0678c909f3b8f395322e227ca3ecda1e88cd2266c10131d82fd45784a9311dde859af01363c0

C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe

MD5 616621be84a8fd899b7faf2902ef6ebe
SHA1 fa30297b1abc2800ab7475d68cfd418d5fb05b7a
SHA256 0ac095a964fa6d2e8c6cd15e014792cbb99df1995ce368b04d091a5fc9c6b6b8
SHA512 18026b6cf831ceef7a04b2271a86439f8d1e919eadf65c014e292964df9fb3600e6e7960727ad4aa494726d16a37a0f4a3dd6ea92a81fd20417aa8eb63574b4d

memory/2988-39-0x0000000000400000-0x000000000065E000-memory.dmp

memory/3856-42-0x00000000020F0000-0x000000000213B000-memory.dmp

memory/2956-46-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2988-45-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2988-44-0x0000000000400000-0x000000000065E000-memory.dmp

C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe

MD5 1f79a2d92212e4afaf81ca196bacb291
SHA1 61ae3c38481fb8fcadc3b4df63932aebe1cb4520
SHA256 6beccacecf877202e84b0565fccaf77bc6075b83fe009d9238aa59ac64f523c3
SHA512 b37f070c10e6eb07111182b2168f0e41e7c17bb782fd1105992ab7acf1dfbadc4208fe4d351fa446fd46bd231d47457d26855f6d6bb8ca5ec5343b399a4b7ecc

memory/3856-40-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2980-51-0x00000000020C0000-0x0000000002160000-memory.dmp

memory/2988-52-0x0000000000400000-0x000000000065E000-memory.dmp

memory/2956-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2956-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2956-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2956-58-0x0000000000400000-0x0000000000537000-memory.dmp