djvu | 57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50

Analysis

max time kernel
298s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
Size

834KB
MD5

b68bbdac4ada5ab4ec6fbf6e49d70add
SHA1

2868bc0c32ac5ea7add1e1f38ef4d4e048f77201
SHA256

57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50
SHA512

46873523781249c2a28d334514d9c6a8d9c1905103222596d1a9d1a09520b669a0417fe8b756850d8d14de3e0c28a0240fcba1870a4f305cc98ed54aa6102779
SSDEEP

24576:xSvdNgkYQ5LJauttYHlf0IqyTy8wlJeue2v:kvdekYQjaUeHlXbhwS

Score

10^/10

djvu vidar 1b9d7ec5a25ab9d78c31777a0016a097 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2876-72-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2876-78-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2876-77-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2340-76-0x0000000000230000-0x0000000000260000-memory.dmp	family_vidar_v7
behavioral1/memory/2876-228-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2424-8-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2424-7-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2424-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2348-4-0x0000000001D40000-0x0000000001E5B000-memory.dmp	family_djvu
behavioral1/memory/2424-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2060-34-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2060-35-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2060-49-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2060-48-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2060-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2060-56-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2060-55-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2060-79-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2060-187-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
2340	build2.exe
2876	build2.exe
840	build3.exe
912	build3.exe
1648	mstsca.exe
2432	mstsca.exe
2780	mstsca.exe
2880	mstsca.exe
1472	mstsca.exe
1788	mstsca.exe
828	mstsca.exe
1688	mstsca.exe
2892	mstsca.exe
2232	mstsca.exe

Loads dropped DLL 11 IoCs

Processes:

57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exeWerFault.exe

pid	process
2060	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
2060	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
2060	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
2060	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2820 icacls.exe

pid	process
2820	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\fae77804-f316-4a24-b4de-17fbb837b72c\\57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe\" --AutoStart"	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.2ip.ua
4 api.2ip.ua
9 api.2ip.ua

flow	ioc
3	api.2ip.ua
4	api.2ip.ua
9	api.2ip.ua

Suspicious use of SetThreadContext 9 IoCs

Processes:

57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 2348 set thread context of 2424	2348	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2284 set thread context of 2060	2284	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2340 set thread context of 2876	2340	build2.exe	build2.exe
PID 840 set thread context of 912	840	build3.exe	build3.exe
PID 1648 set thread context of 2432	1648	mstsca.exe	mstsca.exe
PID 2780 set thread context of 2880	2780	mstsca.exe	mstsca.exe
PID 1472 set thread context of 1788	1472	mstsca.exe	mstsca.exe
PID 828 set thread context of 1688	828	mstsca.exe	mstsca.exe
PID 2892 set thread context of 2232	2892	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1860 2876 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2460 schtasks.exe
2804 schtasks.exe

pid	pid_target	process	target process
1860	2876	WerFault.exe	build2.exe

pid	process
2460	schtasks.exe
2804	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

build2.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe

pid	process
2424	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
2424	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
2060	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
2060	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exebuild2.exebuild2.exebuild3.exebuild3.exe

description	pid	process	target process
PID 2348 wrote to memory of 2424	2348	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2348 wrote to memory of 2424	2348	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2348 wrote to memory of 2424	2348	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2348 wrote to memory of 2424	2348	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2348 wrote to memory of 2424	2348	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2348 wrote to memory of 2424	2348	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2348 wrote to memory of 2424	2348	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2348 wrote to memory of 2424	2348	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2348 wrote to memory of 2424	2348	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2348 wrote to memory of 2424	2348	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2348 wrote to memory of 2424	2348	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2424 wrote to memory of 2820	2424	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	icacls.exe
PID 2424 wrote to memory of 2820	2424	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	icacls.exe
PID 2424 wrote to memory of 2820	2424	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	icacls.exe
PID 2424 wrote to memory of 2820	2424	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	icacls.exe
PID 2424 wrote to memory of 2284	2424	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2424 wrote to memory of 2284	2424	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2424 wrote to memory of 2284	2424	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2424 wrote to memory of 2284	2424	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2284 wrote to memory of 2060	2284	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2284 wrote to memory of 2060	2284	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2284 wrote to memory of 2060	2284	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2284 wrote to memory of 2060	2284	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2284 wrote to memory of 2060	2284	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2284 wrote to memory of 2060	2284	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2284 wrote to memory of 2060	2284	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2284 wrote to memory of 2060	2284	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2284 wrote to memory of 2060	2284	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2284 wrote to memory of 2060	2284	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2284 wrote to memory of 2060	2284	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
PID 2060 wrote to memory of 2340	2060	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	build2.exe
PID 2060 wrote to memory of 2340	2060	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	build2.exe
PID 2060 wrote to memory of 2340	2060	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	build2.exe
PID 2060 wrote to memory of 2340	2060	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	build2.exe
PID 2340 wrote to memory of 2876	2340	build2.exe	build2.exe
PID 2340 wrote to memory of 2876	2340	build2.exe	build2.exe
PID 2340 wrote to memory of 2876	2340	build2.exe	build2.exe
PID 2340 wrote to memory of 2876	2340	build2.exe	build2.exe
PID 2340 wrote to memory of 2876	2340	build2.exe	build2.exe
PID 2340 wrote to memory of 2876	2340	build2.exe	build2.exe
PID 2340 wrote to memory of 2876	2340	build2.exe	build2.exe
PID 2340 wrote to memory of 2876	2340	build2.exe	build2.exe
PID 2340 wrote to memory of 2876	2340	build2.exe	build2.exe
PID 2340 wrote to memory of 2876	2340	build2.exe	build2.exe
PID 2340 wrote to memory of 2876	2340	build2.exe	build2.exe
PID 2060 wrote to memory of 840	2060	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	build3.exe
PID 2060 wrote to memory of 840	2060	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	build3.exe
PID 2060 wrote to memory of 840	2060	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	build3.exe
PID 2060 wrote to memory of 840	2060	57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe	build3.exe
PID 2876 wrote to memory of 1860	2876	build2.exe	WerFault.exe
PID 2876 wrote to memory of 1860	2876	build2.exe	WerFault.exe
PID 2876 wrote to memory of 1860	2876	build2.exe	WerFault.exe
PID 2876 wrote to memory of 1860	2876	build2.exe	WerFault.exe
PID 840 wrote to memory of 912	840	build3.exe	build3.exe
PID 840 wrote to memory of 912	840	build3.exe	build3.exe
PID 840 wrote to memory of 912	840	build3.exe	build3.exe
PID 840 wrote to memory of 912	840	build3.exe	build3.exe
PID 840 wrote to memory of 912	840	build3.exe	build3.exe
PID 840 wrote to memory of 912	840	build3.exe	build3.exe
PID 840 wrote to memory of 912	840	build3.exe	build3.exe
PID 840 wrote to memory of 912	840	build3.exe	build3.exe
PID 840 wrote to memory of 912	840	build3.exe	build3.exe
PID 840 wrote to memory of 912	840	build3.exe	build3.exe
PID 912 wrote to memory of 2460	912	build3.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
"C:\Users\Admin\AppData\Local\Temp\57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Local\Temp\57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
"C:\Users\Admin\AppData\Local\Temp\57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\fae77804-f316-4a24-b4de-17fbb837b72c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2820

C:\Users\Admin\AppData\Local\Temp\57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
"C:\Users\Admin\AppData\Local\Temp\57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Admin\AppData\Local\Temp\57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
"C:\Users\Admin\AppData\Local\Temp\57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2060

C:\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build2.exe
"C:\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build3.exe
"C:\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build3.exe
"C:\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912

C:\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build2.exe
"C:\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build2.exe"
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1436
2⤵
- Loads dropped DLL
- Program crash
PID:1860

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:2460

C:\Windows\system32\taskeng.exe
taskeng.exe {DA6A826C-417B-4063-BB79-ACAE26B88580} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
1⤵
PID:272

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1648

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2432

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- Creates scheduled task(s)
PID:2804

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2780

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2880

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1472

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1788

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:828

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1688

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2892

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
8112ab2a9d7578692e66734917d00015

SHA1
5dc1f7cb2c66c925d195fb98784917d108a001dd

SHA256
919561b1927726f5218e79f21184c4bf7117db4466686fc93d3d5dbc1380033b

SHA512
538f1f36b44d628d2ade163cc40deb58b50cb7fbd56019d9526c8233c30771db8542ed5786d311322dfd2e9d44e979da9513c4a0bbc7416b47bb7beca90013d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
2910eea557dda93bb6223fb877c8e901

SHA1
98a6ae8c2346de51748c10f63afcde8fe3c9f1f9

SHA256
a368355daae57085211f45e783500ee82d5901de91302ffb24bdd160689ff960

SHA512
4f10b9fad215ba5af4bdb03572f2647ec8336e0f0c00ea44763602ac6717fbc38e86c0f502a62a7648b875d738e117658fc834336bb77ef5ead7d8eb64026f91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5b3f76006280a2e1ee6852e8d365b1e9

SHA1
899ab76ad66d9a2bd6191bc2f7d0301bdd40f8fb

SHA256
db6852d135091ec3a70dae2d827e4986542a7a01bd4d1557c95435cd12c3aaa6

SHA512
ae84fb88c0a56ff049a92b3fc749c7b39fd0d8d0de398905973c062b1ef671a70415d5e3368b778d526343e203a3f2ac1dcc4d100ba3330815f2fc5a9132ca9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1eb197b77b29d14ca63739ef33800141

SHA1
8fe7eac8d829d41f56552d48f7ebac1093a7b484

SHA256
30e4cf61688010dbae80548b676a74a61920d30618e359c7520737f0de65d49f

SHA512
7590e46056bef9e49e9b615e35037dc095b5625003602d91ed95785945316d3a09c71b0aa81fae9531fd024daa2b66466a2d2ae505eac59910e89cbb0ca27852

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
aebdee6221d391ded8f874f7f81f42b5

SHA1
7d079cfe0d06eeed13f9076aa9caad0476b94ea9

SHA256
be3aebcff524eec6094f25a319b0093e44703c598d05bc09b3fce0c34b7bc232

SHA512
6ac9f435d56f968e0c9bb58f9f68f8e9f237607b71a9d96e82d12bf99d4089a5a6ffe0db81b8c9cfd7d97b247c7532b9a7c6ba04db111c7815fcd7a44430e565

Download Submit
C:\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build2.exe
Filesize
15KB

MD5
0269472ac3e3b97114cbe3837cb69e0f

SHA1
dc8122ddc03fc5da4bdd2ca16bd6cb7916086c52

SHA256
51f6956a5abca4debb7d068ca813e9394a2edf3319a2b78e6359f4f033d12853

SHA512
f4bbdea84e990ba0ccc34a95523ab980f5b70a9075363146088a8ab14d3060b7658116208d807c497a4e2c987e13a5711a4bf0edefa61a6a850aea2c435b7ffa

Download Submit
C:\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build2.exe
Filesize
60KB

MD5
f9dc1ab03d01434c04cb93a5a57a9647

SHA1
e4585668868d966e1fbff3492d51cef62d3d9523

SHA256
f753c8a1aa304db4d572ed4347bebc3acb54185bfef56618c4530ed7a8e94137

SHA512
c41e94e1a3ee2a905d377b80703f747a9b496cd22dd0ceb4a3b43d8ca073fb13ab015066bd3efa7d9b6a8d3d973fbd55a2bfe8ae9080e2dcd2b2f872ae3e43d2

Download Submit
C:\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build2.exe
Filesize
159KB

MD5
055658c5dba06a12d6fd9c2588b8775f

SHA1
16cc32ff9abbef9a160ec73264ec0d73b5aa03d6

SHA256
c2107c780bdb91b65ee52814426297a95c70ecd049e8150571231b468546d6df

SHA512
eef649232f98dfb86bd18e0dfc304728bf65b0c8eed7a046f5a827fb6ef294d3150d66703e5771f964a8ded743d92e5ba3bfcaa599cf5eebc64f621147059f46

Download Submit
C:\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build2.exe
Filesize
139KB

MD5
c6a20e7e366e47fd481b9d6689351712

SHA1
89aaa8c374e219b6e92f4d0e397d5b0a3a0df341

SHA256
3816cf3189702cc1b1abb57cef4efac068bbacae33c0079e950b4b872918ba4f

SHA512
3583efdabc76280ae8d42776370428ab54a0606e775355175911b94983887d87a14db8190edcf6650fd6722145afbefd206cfe5d8227cecf3a5a02454713b75f

Download Submit
C:\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build3.exe
Filesize
104KB

MD5
8ab67da620b4cb94cabd23519300528b

SHA1
56d90425492331875f9b1d9c7bfb0ce186f0aa96

SHA256
283779bdf6a610d0d0155844b9d6f241d935fd7c0ca4d185b30e2ca34df1e14b

SHA512
4f9ab561d038440ccd29c184d48a09f593777d3bba61013fe3c81bec8c827f9f9b54faeebda54e32796d3c1b84798ee8e464292de0ab5a5a8a053c57905920db

Download Submit
C:\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build3.exe
Filesize
88KB

MD5
8565c33fdbade2c9bd78cc3f38969abb

SHA1
30b6ab97fbdd404d7a1cfa99e840c3812e15f11e

SHA256
70a1f2953e04820c2c7f76d2244870486b25871d63e6db26b703577dfe0ad642

SHA512
ef31b3410bd429dc7ff84153a6cec775b05d6701904ab24d52e7082e59fabeca73c66222c35045cb12503c0dda75b2e6e26db22d3a2863a8eb6f3062b0ddcf0a

Download Submit
C:\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build3.exe
Filesize
1KB

MD5
d35c806c95b926208b06f305860de044

SHA1
fd111b2072749c0e2b3f1bb7102e4fbcdd8b931b

SHA256
722325dfc7e0a3d8b9c5bcf978e54f9a90a83ffa5d14372a51dc7c3609fee061

SHA512
cb5f66f83bd6a8ddad6d740479d17352d3a8249ab6fec7ea0ee071dcc7f9855ed378dee61bb65e92d272e3fb8187282ce08d0694550cfa610bf6e6508ec5b6a6

Download Submit
C:\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build3.exe
Filesize
19KB

MD5
f77bfd558fc333472965a0f7f49262a7

SHA1
89187c7c6bd13c5397f23681e755f408770950ea

SHA256
6cd9d17cc56b359ed7688f168da3daa88c4b4b2a851f4b782e13b3e52b8ff78c

SHA512
319aea7e17b395e02a167990825e968faad9276335fb9ad491b70ed8dba8e2f874349fcd338e4c684c94a6adbc186246a70530e0632a6e1b0f7e3cbc7e27c8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1890.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2D49.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\fae77804-f316-4a24-b4de-17fbb837b72c\57845addd00c0383048d8fc52728bd507abb3dd0f9b4d1befa07b573efd1af50.exe
Filesize
16KB

MD5
9a45dea26b116e06865aed9f6d583711

SHA1
6742526373e215bbecd31b3bb530485d40177d28

SHA256
b522fa86a32b89bfb66afbd8be09fa38ed7991e6b20cb653508556512e5fb533

SHA512
c828a48c7883b035c6dc42476a0c42ca2807ee7581d4c495271db0d21d91b8239fe388eb186ba05253df20b9d1b72dc3718a7f34f696f7a360014268bc501c16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
97KB

MD5
a289615468e04e2e60af720f788ae7ee

SHA1
616d7a9bd6aef47ffecad2536fcd635ebe99c7e1

SHA256
7ee17c2e8ea8406e3b7d04b1626f3a6444fa8a309a6df9811cb6bf23e5df26cc

SHA512
d995159f76a782449fa43809ce07544e82c537e9be23b22b0b2fa103262d9bbeca62f84eb7be13ac907a7ca965ddbd808e8520da44abbd870c4298a824d8b8a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
214KB

MD5
4379c7b0f476449e6343c5a67193c546

SHA1
ff3f2faf8074cf4ff5fa6302e7c37bd9315e2f81

SHA256
f0d69809b9b88e11bb5d373103f1fdd0e14bbbb6f85eedf410d9d03a2b3467ac

SHA512
fcca632feb7b20ad1fa216ca9ecacd21334e50f905ca86462c10247cd382916b9b0a07fac32e24205117abb8000ec87623ca3f817ef510dc9e98d837f8e9a7ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
161KB

MD5
1537c52f77f1adfc2023189cada26792

SHA1
d17f8904d1785e9ce930f8d75dc261f660bbf763

SHA256
52780746b69660a986c6b6072904ce6ed0e4d0970f1fe48e5d14ae92718ae5a5

SHA512
3628f19500e1d206540f761c428098018a866b00a65c1c973ade50e3c23b3f232d201e3a7a91be121761dd7242a7018ef4feb64bd1063b14a5665e89d0915a81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
255KB

MD5
a2e2273303ee5707567f80bf5e6908a5

SHA1
7a73a70a725f258b6deb5e044101ed80ad1851b3

SHA256
d3f3c2c0b452a460281cbaf027bae9714dc5ac8b94a4c9df12e8db1f3d35c6c4

SHA512
c72e2087f14249694696cf401390086f3eefcc754d43e19fa84accf91b324ef14e428c6f3f1fc34cedef47756c68af7ec760d735d73a4e65d774f8c4dc7ded17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
221KB

MD5
109864f29230dfd39aedcb0815c84fbd

SHA1
c495843c56cda5cf90659d5a4f0913e33b84b693

SHA256
d8517e7041e24d03143f4ef4d958770cb84098a9d06996f334c1ad4b6140832d

SHA512
3b8a1f80579f338764da4c08023a38978825b57f3ba8d47af455dae0a1008514bdd3228e20af727de056e0b595d9b974ec9239cf3a5234547353838760f3a39b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
161KB

MD5
b2a65f0e39bf635542e8d43789bd3d30

SHA1
19cc273a1a15446e6d532dd1b46f53913f3803af

SHA256
06961120b32d9fc261b532946cd4fe4489ae67cebd53f34b9a6499c7f23cf73c

SHA512
3d7adbe6a88e19058f60c78e81ce147d00600cf13eb48f7e0451bbaec350b258d994ef90ad043932a0e418ceee2654d809d9e52b898918ef33b6a5121640d0b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
157KB

MD5
adc50773f4591c6ed67f2fe08681b3d9

SHA1
5adc079073af2b57852652b17990105bd4c9df28

SHA256
44b6aee0152b196d4204606295df545f1ef432f508fcac4cfdcb35d11896f53e

SHA512
0ba4c0cf9c93fa8be6cd178f4b2a40bbb25febad27aef08a0740100ae361094ce1e1f855f9a67fd01d2ca1dfa8fcc1fc7967935dcd1ea2ec1d9a6add207764d8

Download Submit
\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build2.exe
Filesize
57KB

MD5
4fc05c80506b8966177a3d57998b6515

SHA1
76af41b415a49c31e6747b8f0571ae7ea7855c29

SHA256
68765f9d2b17fc2b66a1b34397ef01f69544bc0937855952621d87c25b7a6dab

SHA512
b93e3bf7138defc06f24f0d9e0487e17b862a4994546b83f20f3ead78f6b6bcb32834a123bca24aeee9a09e703a1e85b3ce25c0c51e45e13a735368a8b91600b

Download Submit
\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build2.exe
Filesize
31KB

MD5
0700ae4c713210d5d1c757525114dd91

SHA1
4558ebc2ed2cdf631ed22075c515a70de12e8e2e

SHA256
bb11681fe1fb64fabe0d1f67881830dad415d6d5adf2b44889fc0f44bcc34f4e

SHA512
2e5374fc9a7acc299ef1a60ff66de08ddc42a98b3b7158f00533f66309210af7d26117ae8d74a299145f938a85460381317f8ec12feb805176e5bb572e636105

Download Submit
\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build2.exe
Filesize
24KB

MD5
279b7d29e5b3020ab39d4a3b77abc0c1

SHA1
e46c15117ae765fecd60f9c11ae731f1d18a4465

SHA256
c1aced66a2f19ae927d0a1a88ec475220107477be9bfb0a6565448ed9d18cbd4

SHA512
f8ae6a21eeee38c1cb332b44b9783bd7e85e7fc0cc7c97077b046cb0f459f03cebc0abfb30e7880362b62bd074a7bc2bfeaa0efee68e66e8864f29b26ba568d2

Download Submit
\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build2.exe
Filesize
47KB

MD5
6b5b925ecc784f97d9946f0cc1e31422

SHA1
bf6e39d6c6266556e9776f82933f583e15ff2a63

SHA256
a26ed15d8205b43655e0ce1d8077f6fbe36894fe6849bc33ee6598f15fd721d8

SHA512
8899bd919a28bd586daa0548cd283e6f59d5fd1829e9f893e40248691fa31e639cfd3db1c7476bf16e4bd53ada2241c745c07883b097e53de5ad16ded7862c67

Download Submit
\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build2.exe
Filesize
92KB

MD5
230239a54eb2b96fb8264eb303534dc7

SHA1
c415fd0af6bd976f59187cfce9fe2fb812fa2796

SHA256
5b749776328733e38ef3caafa20b587a16ce8fb9cd82bd1de6c76a0ca4366fc5

SHA512
5ba643f0bb4e2284ccb06041bf15c21d5e21943cac7a4a2c28dca2cb74094bae7057936ae7101e89dc6b9e7f5849f00e93991bdf1d0a59102ff5f1b67566c7ea

Download Submit
\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build2.exe
Filesize
107KB

MD5
9dcf163b3b476143d972bf5aa1a8d392

SHA1
f5ce489eb83ea817fac1ce52afe0ddc69979df20

SHA256
a5b3c870d2bdfaa90f02452548a2b72330de758f222582acf7b7f713d10c4424

SHA512
343761b9d579d3712cb2505bfacec90803ff5325959b93e4e315f52aeb9d801ad6e62454f810bae56b9cefb343f65ca1e2640e4406dccd05e5e188c7c049745a

Download Submit
\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build2.exe
Filesize
14KB

MD5
134fabb8751625f5c7d1a13081e376f4

SHA1
db6d151e0fad6510a5a032d3086d6626d7b09f55

SHA256
998460500f77f8e3ab185b8723e0faed7cce35031170648dc6c8d178d0b601f4

SHA512
9119e241fa9764fabd105bf1af0aa2f561a9a586ea6fe2f1e6893f2b332645332b3cb3a14efdffdde54084824c8e230b3c30fa942e8800b13f54d1e3c449f126

Download Submit
\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build2.exe
Filesize
292KB

MD5
065ab756c557cb3ea45db8aa608d36b8

SHA1
fbfd5de4dbdee12f766180b36dae801955acc8f8

SHA256
e9ed66221f6f2d153ea7cc98073b5220827045399de31d5f3ec44316a3cead78

SHA512
3bb8520a5a35010a147252690a7626c7774d3e1a45f2f6acbb53663b62719d0fbd3be838b41697b1dbc1398a725c3e69b7ea7c5f00cd1b5f07a013aee093ea2c

Download Submit
\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build2.exe
Filesize
173KB

MD5
1a2273d1b181c317aa68ab74bb9db440

SHA1
fd96f9409e3d4d5168a146a1ddf8b75ff3c633f6

SHA256
8141cdffa0813f41c6bfc151f2f4f9b39cd304ad9c1abd21b1bee6957eb50ea9

SHA512
4f8b8dab947e429965a0d3c944879c59e703d01a1f857d79ef417966b07e666056e79767a0e4f1553f9b0bf1e464f07d3fcb4fcce4958a6e516d16352c467bb3

Download Submit
\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build3.exe
Filesize
14KB

MD5
cf889705573c7be9841fc6cfcce20049

SHA1
bff08c8a35e023293262800aa5754afca6045ca8

SHA256
397dbc47677a6ffd497dec6dcfe9c3d7ad8c6f825de77c7a742d2ed95bf58f18

SHA512
78ba4b4b48f553f76eaeee270b8622df56b325d6dcdce73801c4da9478ff6221cbf3150e865669d6a6e7ab01b12b0818abaff94bff9cf11f1f9f66354d46cdd6

Download Submit
\Users\Admin\AppData\Local\86bb611e-58d1-4f25-9c14-b28c94d2120d\build3.exe
Filesize
78KB

MD5
0631442c1d9db5b1ebee78b7c3328422

SHA1
42599dffe496ea9a714eecc696f4990a6a14fe62

SHA256
2ae1e3739b2980884fb5afea754e36a811fbfb01632c73bf1226bdf398f70b72

SHA512
2330cb636480d20ea352319102e74f43e4571d33a10adcd49033c367e69799e13590b8e1327f31f5487b0591624d0c363bb8acb6e08127ba70574db9d45d878d

Download Submit
memory/828-326-0x00000000009F2000-0x0000000000A02000-memory.dmp

Filesize
64KB

Download
memory/840-221-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/840-219-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/912-218-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/912-216-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/912-225-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/912-223-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1472-298-0x00000000008A2000-0x00000000008B2000-memory.dmp

Filesize
64KB

Download
memory/1648-238-0x0000000000990000-0x0000000000A90000-memory.dmp

Filesize
1024KB

Download
memory/2060-56-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2060-34-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2060-79-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2060-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2060-48-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2060-49-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2060-55-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2060-35-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2060-187-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2284-27-0x0000000000360000-0x00000000003F2000-memory.dmp

Filesize
584KB

Download
memory/2284-29-0x0000000000360000-0x00000000003F2000-memory.dmp

Filesize
584KB

Download
memory/2340-230-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2340-74-0x00000000005B0000-0x00000000005CB000-memory.dmp

Filesize
108KB

Download
memory/2340-76-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2348-4-0x0000000001D40000-0x0000000001E5B000-memory.dmp

Filesize
1.1MB

Download
memory/2348-0-0x0000000000220000-0x00000000002B2000-memory.dmp

Filesize
584KB

Download
memory/2348-2-0x0000000000220000-0x00000000002B2000-memory.dmp

Filesize
584KB

Download
memory/2424-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2424-7-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2780-270-0x00000000009F2000-0x0000000000A02000-memory.dmp

Filesize
64KB

Download
memory/2876-78-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2876-72-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2876-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2876-228-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2876-77-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2892-356-0x0000000000960000-0x0000000000A60000-memory.dmp

Filesize
1024KB

Download