djvu | ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb

Analysis

max time kernel
297s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
Size

726KB
MD5

61c4d9f394531ddcfc3189c3da7589d7
SHA1

4df7149dc944eb928cfc81b73df456bd730ec77d
SHA256

ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb
SHA512

df9b67d73a3e327d6d0b60efda8844e92bec85da2273a0489e74b34039b361014a7a49bbbdd8a901e85e06dba83ee3bc08306751ff6d60a09e52fa87bbfd4f80
SSDEEP

12288:ihXRwaswqCwg3AOXbNLItSgrZgu8jCrbg9XIrV/Nxb36YQDDv:CRwaswq4wOrNLIHbSIrV/j3Kv

Score

10^/10

djvu vidar 1b9d7ec5a25ab9d78c31777a0016a097 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1500-78-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/1500-79-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2520-76-0x0000000000230000-0x0000000000260000-memory.dmp	family_vidar_v7
behavioral1/memory/1500-73-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/1500-229-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2272-7-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2272-8-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2272-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2372-3-0x0000000002D50000-0x0000000002E6B000-memory.dmp	family_djvu
behavioral1/memory/2700-35-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2700-34-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2700-49-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2700-48-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2272-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2700-56-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2700-55-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2700-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2700-57-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2700-169-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
2520	build2.exe
1500	build2.exe
1744	build3.exe
2332	build3.exe
2380	mstsca.exe
2576	mstsca.exe
268	mstsca.exe
1644	mstsca.exe
2056	mstsca.exe
1284	mstsca.exe
1520	mstsca.exe
2376	mstsca.exe

Loads dropped DLL 11 IoCs

Processes:

ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exeWerFault.exe

pid	process
2700	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
2700	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
2700	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
2700	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2844 icacls.exe

pid	process
2844	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\06253f4e-1f30-434f-bdb3-83f8dc4a6732\\ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe\" --AutoStart"	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.2ip.ua
4 api.2ip.ua
9 api.2ip.ua

flow	ioc
3	api.2ip.ua
4	api.2ip.ua
9	api.2ip.ua

Suspicious use of SetThreadContext 8 IoCs

Processes:

ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exead77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 2372 set thread context of 2272	2372	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2560 set thread context of 2700	2560	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2520 set thread context of 1500	2520	build2.exe	build2.exe
PID 1744 set thread context of 2332	1744	build3.exe	build3.exe
PID 2380 set thread context of 2576	2380	mstsca.exe	mstsca.exe
PID 268 set thread context of 1644	268	mstsca.exe	mstsca.exe
PID 2056 set thread context of 1284	2056	mstsca.exe	mstsca.exe
PID 1520 set thread context of 2376	1520	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1532 1500 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2260 schtasks.exe
2924 schtasks.exe

pid	pid_target	process	target process
1532	1500	WerFault.exe	build2.exe

pid	process
2260	schtasks.exe
2924	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

build2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exead77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe

pid	process
2272	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
2272	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
2700	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
2700	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exead77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exead77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exead77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exebuild2.exebuild3.exebuild3.exebuild2.exe

description	pid	process	target process
PID 2372 wrote to memory of 2272	2372	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2372 wrote to memory of 2272	2372	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2372 wrote to memory of 2272	2372	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2372 wrote to memory of 2272	2372	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2372 wrote to memory of 2272	2372	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2372 wrote to memory of 2272	2372	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2372 wrote to memory of 2272	2372	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2372 wrote to memory of 2272	2372	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2372 wrote to memory of 2272	2372	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2372 wrote to memory of 2272	2372	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2372 wrote to memory of 2272	2372	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2272 wrote to memory of 2844	2272	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	icacls.exe
PID 2272 wrote to memory of 2844	2272	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	icacls.exe
PID 2272 wrote to memory of 2844	2272	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	icacls.exe
PID 2272 wrote to memory of 2844	2272	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	icacls.exe
PID 2272 wrote to memory of 2560	2272	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2272 wrote to memory of 2560	2272	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2272 wrote to memory of 2560	2272	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2272 wrote to memory of 2560	2272	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2560 wrote to memory of 2700	2560	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2560 wrote to memory of 2700	2560	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2560 wrote to memory of 2700	2560	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2560 wrote to memory of 2700	2560	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2560 wrote to memory of 2700	2560	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2560 wrote to memory of 2700	2560	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2560 wrote to memory of 2700	2560	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2560 wrote to memory of 2700	2560	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2560 wrote to memory of 2700	2560	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2560 wrote to memory of 2700	2560	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2560 wrote to memory of 2700	2560	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2700 wrote to memory of 2520	2700	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	build2.exe
PID 2700 wrote to memory of 2520	2700	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	build2.exe
PID 2700 wrote to memory of 2520	2700	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	build2.exe
PID 2700 wrote to memory of 2520	2700	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	build2.exe
PID 2520 wrote to memory of 1500	2520	build2.exe	build2.exe
PID 2520 wrote to memory of 1500	2520	build2.exe	build2.exe
PID 2520 wrote to memory of 1500	2520	build2.exe	build2.exe
PID 2520 wrote to memory of 1500	2520	build2.exe	build2.exe
PID 2520 wrote to memory of 1500	2520	build2.exe	build2.exe
PID 2520 wrote to memory of 1500	2520	build2.exe	build2.exe
PID 2520 wrote to memory of 1500	2520	build2.exe	build2.exe
PID 2520 wrote to memory of 1500	2520	build2.exe	build2.exe
PID 2520 wrote to memory of 1500	2520	build2.exe	build2.exe
PID 2520 wrote to memory of 1500	2520	build2.exe	build2.exe
PID 2520 wrote to memory of 1500	2520	build2.exe	build2.exe
PID 2700 wrote to memory of 1744	2700	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	build3.exe
PID 2700 wrote to memory of 1744	2700	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	build3.exe
PID 2700 wrote to memory of 1744	2700	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	build3.exe
PID 2700 wrote to memory of 1744	2700	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	build3.exe
PID 1744 wrote to memory of 2332	1744	build3.exe	build3.exe
PID 1744 wrote to memory of 2332	1744	build3.exe	build3.exe
PID 1744 wrote to memory of 2332	1744	build3.exe	build3.exe
PID 1744 wrote to memory of 2332	1744	build3.exe	build3.exe
PID 1744 wrote to memory of 2332	1744	build3.exe	build3.exe
PID 1744 wrote to memory of 2332	1744	build3.exe	build3.exe
PID 1744 wrote to memory of 2332	1744	build3.exe	build3.exe
PID 1744 wrote to memory of 2332	1744	build3.exe	build3.exe
PID 1744 wrote to memory of 2332	1744	build3.exe	build3.exe
PID 1744 wrote to memory of 2332	1744	build3.exe	build3.exe
PID 2332 wrote to memory of 2260	2332	build3.exe	schtasks.exe
PID 2332 wrote to memory of 2260	2332	build3.exe	schtasks.exe
PID 2332 wrote to memory of 2260	2332	build3.exe	schtasks.exe
PID 2332 wrote to memory of 2260	2332	build3.exe	schtasks.exe
PID 1500 wrote to memory of 1532	1500	build2.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
"C:\Users\Admin\AppData\Local\Temp\ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
"C:\Users\Admin\AppData\Local\Temp\ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\06253f4e-1f30-434f-bdb3-83f8dc4a6732" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2844

C:\Users\Admin\AppData\Local\Temp\ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
"C:\Users\Admin\AppData\Local\Temp\ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2560

C:\Users\Admin\AppData\Local\Temp\ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
"C:\Users\Admin\AppData\Local\Temp\ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe" --Admin IsNotAutoStart IsNotTask
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build2.exe
"C:\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2520

C:\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build3.exe
"C:\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build3.exe
"C:\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build3.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332

C:\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build2.exe
"C:\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build2.exe"
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 1440
2⤵
- Loads dropped DLL
- Program crash
PID:1532

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\taskeng.exe
taskeng.exe {08F1B4B8-270A-4706-949F-F1877799AA6D} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
1⤵
PID:2532

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2380

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2576

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:268

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1644

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2056

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1284

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1520

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2376

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:2924

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
8112ab2a9d7578692e66734917d00015

SHA1
5dc1f7cb2c66c925d195fb98784917d108a001dd

SHA256
919561b1927726f5218e79f21184c4bf7117db4466686fc93d3d5dbc1380033b

SHA512
538f1f36b44d628d2ade163cc40deb58b50cb7fbd56019d9526c8233c30771db8542ed5786d311322dfd2e9d44e979da9513c4a0bbc7416b47bb7beca90013d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
4c8cc236aba90d3a655bb084be28c6fe

SHA1
491d5f9edb2fd3009380a3a7495a192255d8863c

SHA256
99331453537798ec1af080671b13029777605c29b5e55b6fd610ee49010dfaf9

SHA512
9b3b1ae5cbea740952df9c8bfad39dbc2f23db51419b63a57b986f21f59fd7975fe8ad2ee2e6c64a154a3351b5fd5ea7561b733e2791a365bc9e4ed1064f2a91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
768ee5fb2abb69cdc3745735918106c7

SHA1
5241d03190b816c5f96a45bd0e37a33648312213

SHA256
21c8792961a5a7158f9f754a194b09cc90766f1e218d9c0ed647b298062b02fc

SHA512
fefa090c1938c72d93a884f8e5fe092feda339a6344ed018205b68e62a258fb846d967860ce8b8ad0ae47067ae7b2d496ca2226cf675b834d87ca69aaa3b2968

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6bc761d50f34ef35e04bceb5c5cbf04e

SHA1
daeff8dbb7f3304ba017dd4cb75d9fb7f659adc1

SHA256
6792e428002b4732c5c651dd75e7a5024ce0e92a0e8e52c673d09f833ae522da

SHA512
36338c514593fd490953c9b9c2807fabc13599c5eac9c4add34838ce88dca7c149b8d897734b7c29ab8546cdc506bbe70efccda6d4e8e94cc9bc45338310a88e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
336cab4c0271138585d2976ed265d121

SHA1
b6ff661b045445b588d19fa85001f473cc98f2e2

SHA256
45002a6ccb46e661d34b696932fda1ccfbe9da7f24621e72d3f314058abdb90d

SHA512
308010d5c806e2b6880a4c283ce044dc3c3f44832fc1b00a30545c84d9fcd408e56dd3d499adbc92414e26c7472b1bcd936be92f2f7109eb3264924d587548f8

Download Submit
C:\Users\Admin\AppData\Local\06253f4e-1f30-434f-bdb3-83f8dc4a6732\ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
Filesize
130KB

MD5
a914f9e939d3424bc9cec2c1bb2f84b2

SHA1
0f99fb58bbbbb0b88c99304360d2ca16446d86d6

SHA256
f0f45718ab27ca41d233d7a8c6a3cefcc0f1428353b1369a65223eab6af8103c

SHA512
6bc68af49ec252ae5705d4f3676c8e68f5cf63df56e7ba7d8d3d53142294f02f766ccc20e473efe1fc37f115afd83f11a24e442068421d3607ce812349dda28c

Download Submit
C:\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build2.exe
Filesize
55KB

MD5
476c88d4e8c9811cf283b9be0e1cf74f

SHA1
d8b48511c6f783dbf5025f0ec3c534edd87f3413

SHA256
f56f277f1109a23604726c644fb344c0fe8b7da6f52c40684dc62721e20493af

SHA512
0d505e409b6d6cd96bbc8eabe767dd8dade1634ee5c068001bc8cf4ae25b9a5523d1060aeabe759c1881bf62640a49e60d176c964c2769f63771a85678824492

Download Submit
C:\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build2.exe
Filesize
26KB

MD5
22eea6d551c24213663bbaca4926a775

SHA1
4ed7953a6659422032def3e3d41a69bacf673ebf

SHA256
06b2b3ab7138262677afe62a0eb7ae06934623d7870835f141d066341fcbec9a

SHA512
322d6b02cc1ea91cd7bef580f375e39e9d99a59b2ab7f741556a868f6c6e5d4aac14c6378dd6874ae9b947e0c2525ddcc759d75d218da5093584bc4f73b190d9

Download Submit
C:\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build2.exe
Filesize
278KB

MD5
ccb3d1f62b2bd472b6273f3f3fb19ed1

SHA1
055b55065a58ca1cfcde735402fae54519800c0f

SHA256
3a22106641915e6ba2113833a4e719a7912966d13e868367f48c9c746a3251fb

SHA512
1a2fb85fadb0f23ba9d079ca93a09d514df5c36f543b8971ace588811b9195c6ad0c1540bbaf19142c4f1307b9abd981a35c6689c0b6ad9439f23900d2ea623c

Download Submit
C:\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build2.exe
Filesize
219KB

MD5
f5ac56e73c59ac00fc28ea0f3ddca1fe

SHA1
33523cd0d55ca47985d8ed9782426c321e1dd8fd

SHA256
4c3503c3a40867f374f8bc7fa3e880419b2301efb3ac3481285b7b6c9e662566

SHA512
bad99e6a9719882a19778c2180344fb7df3138dc80957cd08952ed7b6b4adb71c34a855fc257b565ab905268ecf5906d9d3b8d280b3ac11b4a0996d5ee00f74d

Download Submit
C:\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build3.exe
Filesize
69KB

MD5
5f40c8fe561c85914a5a54755240cc27

SHA1
0de0ee90447516505b598af0e209461f5bb47a64

SHA256
b6594d040d2b430fe13817e67e45dcab4e1a3327428e0e546bf834f7a05969f0

SHA512
b02a954ba1d1d28df2aee61f60de3cefa31ba690df9baf421dd40b9b4613864b0d968678b0f3d561e96a4c712cb242817d69d0f4d710199562dcbd575e5bfe22

Download Submit
C:\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build3.exe
Filesize
136KB

MD5
07156d244030782cf72e4b83c2800bab

SHA1
5264bfea94795f0fae19ea859a48e6b95aef532c

SHA256
91be5196ddf37beb77a8d762a3e42328f2aca4b3de9a06f9fc75def00545c893

SHA512
b1b36102e5fb3be4ac244ca58a34008b5f3e5c80fc138ffa1c50025ef00640311c5d7f46f15754c400a6d196ee15ff8736251af91ff9703eeee1fd1fbe05956c

Download Submit
C:\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build3.exe
Filesize
47KB

MD5
72d0480a818dabc8185095f9f5d9ad75

SHA1
c301590cf66f783118e7cf55f65142372d3e293e

SHA256
0e9c0439304db73a2e6fd030a91b8f42d587b839ce0913aa17b1ab981fd9c441

SHA512
eecbc39d766558e079dee9665b0bdb59e41f52daf47bc79b4367afaf94fb4e648303665701008e6c3bb9cac4ff158c53682c91afd90e7edde0e40534f21e259b

Download Submit
C:\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build3.exe
Filesize
119KB

MD5
32068c9c7190a88cf23317b6bb9093df

SHA1
f90ebb209437f329fbae5c1e93fef2f116788d79

SHA256
a111437c274c4443be6fa2000b0a0bd167f545ec5d8aff3c8c1a8d4450166a17

SHA512
0e2a0fb942ad50d271ba895137390393f8b7b0bd82b6d052656435e82e203bb8a0c03c0c55c92567358c9191863382639294dc3d8a6eb3d9d11c5bfe704a4b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2D48.tmp
Filesize
30KB

MD5
eb2c2df74999f7e694693fc10dd931bc

SHA1
f811616bbcdd0274a1869fd221b5d96903b9a8a7

SHA256
074f9db4a945bf75d5ddbd134275146b1eaaffe284a3027ac1fc90aa6336a8d2

SHA512
e075f9296167a544ca8e0cb9b016a3b0aaf967b3cb0ad908982533a9c1c580fbe7550719322b02f68ab18268d846d41955ef8df1731969618e0fd4b6bddb513f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar44FD.tmp
Filesize
45KB

MD5
b0404fbd185cf319509a39423ea897f9

SHA1
989f1c2e0fc5976231382043b888b1403b70da75

SHA256
0b533c1e0d4935d0d1b86c7736a8c4798aa04e739b06201847c15decd205ae1c

SHA512
2a3f06eb28c94db9bd20da226102420accb57eeb88b996c0b0da72c79b70774e30f9ccf295a17541ad43891f250d52494982db4aeac8a53cf1d15fa1341219fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
99KB

MD5
13b7fd8697f2d99cc6d47fa69dbea923

SHA1
ebf506c6cb93bc324f5aa1f7b6e26d49b6ebec32

SHA256
fb53336a5a257477a7609774b71d0f5ada3a34cc9b0a95222808032359f4002c

SHA512
c389d5ed28295eeb5127f252e3031e6080fd5742abdf27369a618c407faf9f13db480c5e604a5d4ed6a5e53dbb61f041be73c3e2d3f48980e679a2fda1cdf658

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
115KB

MD5
82bdea887f5948ba7c6a1845291ce1a8

SHA1
e66099f1406cfd8a17bf86a1090e126d20716317

SHA256
3ea19eb1c7812ad9a978277c5e8f0690e34644a725ea3ea972cf23c5ab64a6e4

SHA512
43d32039da414d46eadd7c1fcaffcedccbe754dee8908d139417b4dac1c6d1af32af5d5fec9a753fb00c498b4e1cd2bbdc5adab3266a45286d95a93e19d52653

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
103KB

MD5
1b8f72412ef0638f5892e91f5178402a

SHA1
c6abb2cfc63919e10a2e58bb0fdfb6e638e8ce93

SHA256
1554580c14f425db3101b1348ee899705d1c1a16b8b66a214dfd9dc5cd306c76

SHA512
a68ae90a4db746823732deaa625c061f7ac50bfcd504c45b32a79f1252ca047dbb14c49e9016970a88da79283b72caf90605c7a3c3345315731bc708606427b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
81KB

MD5
1135275e5913a1d4316a427a899ab085

SHA1
72a4751eb65098975acdad223f6f34b9c58ac775

SHA256
9bb731c615d92129176b2ac3305f7aca9e235932af64cf88f5ac0472590493d8

SHA512
995792a789edfd6eb58f64f5f31d8309f1ac69aa69a06580249b39e8df36f9bc6f36dade1c7d91f685d83a442bfab02523dfd65ce02e298f9fbc2483cf5cfb7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
168KB

MD5
8519befe1cbbed8429384139c394bf1e

SHA1
f653acbedcd2499c1cbd650f6b0401ff42677ee5

SHA256
89693e4a3fb2d52253069a056ba96e892fa97271acf24001764b12bde1b083d3

SHA512
37a3802fd5f17076182fbcb1d4ec48e6e11c2dab021862d30e66b36a59c749481d24994895b97f77b4d74b46e297180965c3be6d01c3135e686d221d4ac80417

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build2.exe
Filesize
53KB

MD5
8ac7947aa023d980bc62fbe09a877e05

SHA1
a68077d76b2a7a2810cef42171271ad7f2f02310

SHA256
65b9020134a684fc487149893dbf9556db68af0eea4cba14306a676c69fc21dd

SHA512
2575842b92c92d138bd35c9862a973e2128e5334330bbba9861a1d43f929b5778c809f8bcbc537e2f437131320748ca1704fa585b748dc58324b6409a22ae7b4

Download Submit
\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build2.exe
Filesize
89KB

MD5
89a61fc8813ee7a69b1eca92163f1412

SHA1
da03bb5e1d0c4b2098c0648b61b4d38442771de4

SHA256
79f1c19596d2ff48b83673945035390a3ec5a107851f5ce4baaa8e513daed198

SHA512
a698e054527e10d99a6c81ee6f4de044a8f211006942a755d14fdfa68c11a3ecc839c9caf928b0107cc2a4c9f926c1729709b06a2e0d5718e8bbdea416e08d81

Download Submit
\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build2.exe
Filesize
18KB

MD5
799505b34e2dd5fead02d132ba8e773c

SHA1
58ae21a5a8aa04e8ca62da3498d8b44e5864ccac

SHA256
9e44bebb930634a404e273173eb96dd50b520779807e00ef5485729574dc0f41

SHA512
86f7a8f0e0b4420e480738c4f8bc6107ac5a1fc53f6c2e5a1ad30030e27ef5db36f3b9a755ce72c22bff289dbf62d5765af0692da3d5730992e185640a9207fc

Download Submit
\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build2.exe
Filesize
45KB

MD5
73413477b453a26000ceabf099152dcb

SHA1
8f6ae46e852182726ee94d03e4b4d86c08a2f979

SHA256
76cb5b2e303e06272ef8ffec53c2e3f72a6b11ae2a520b21a1d7a3144535eb0e

SHA512
1746cd4742f8a026d24d94858b5dd10145c103ca5a7805272994fc5ab9101444b4bc6f63325ef7917f9dd97af18d1d0892cf497f75a8b8a78e3cdde8922a96fc

Download Submit
\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build2.exe
Filesize
20KB

MD5
3afc48cf9f7729360fa3ffe196db85c6

SHA1
2e5f140a26a989feb5cb340c8f04977d8909931e

SHA256
65cb84ea44e94e552a9fecfd8dd8c2c790454e45b4f989ffc5ffc603a86b2ed1

SHA512
ce9ceeb429813666a50ffbe6279b308ff2d66be21353f3a52478eaa5240d4f4345e42558a698dbc30ab6e08d64349b524d7e4b4a45fd8d0c2d95a94b51a08365

Download Submit
\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build2.exe
Filesize
14KB

MD5
b4f0287385b7e84fdaef564f9bc09e68

SHA1
9c867d3434b9618c0fdea451d5178fade601dd19

SHA256
c50d7239811e59d53c5c94d0d88442afd4776cd1a40c946bf675cc069a5998bc

SHA512
6edd883b65c908c5665399dee4ec9b5cc0bdf336d4fcb210e75ea9f1359e0e99973a5f0fcfc584107ebaf75484275d3495dce550205eaa3851c935e0290a764d

Download Submit
\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build2.exe
Filesize
17KB

MD5
4ba8a003b8fb132afe7d1f2bbcbbe567

SHA1
3eb8a6bf2b232ddbdf77c987596af5c6fd1431a1

SHA256
2f5f3e3a2382bf5b0c2c3086dd77b67e650bb4241e4e6f1256db2f453f0debc9

SHA512
f059ddb526f71b8030855b5852d7624648dce255e629d2608c9de2ab0b78f5337c89e3a1941c3230b9afa713ea58679e636135615d7cfd3cadf60112c5ad2ea9

Download Submit
\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build2.exe
Filesize
385KB

MD5
63e4a9cd7a8b37335b5f18cefc5dd9d2

SHA1
c781a30935afc452b108cc78724b60f389b78874

SHA256
c1e75efde3fd1da605135e5c3ffab0073299c80632d136f8eeba9d4a7c98c70f

SHA512
3818b5966938704c5830acb5426db7791f6ae476853248d8984b1aff35a6722a0684bea54a53ef6ded1f301f6de9ed044d45f007457a9c0f3a7ea3afc7bf0ecc

Download Submit
\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build2.exe
Filesize
203KB

MD5
545b1450d7a46f73e823501469228001

SHA1
74b3cd6ca1ffdafd9694f501602441237b9ea4bc

SHA256
729ae2f8a684b9fae46d486f2a4b83c913ea6e69e78dfd3d97805b24d1223f68

SHA512
99876e30f0fd703ef1a6aec6bb53ae33202719e5fdb6723677890f314fa79b0ba4061118126b348d5c7b3b8e7a33c0f7e81355533d13bfbdc7a6c5b0c6832e9f

Download Submit
\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build3.exe
Filesize
64KB

MD5
8b6a819c6926597dfa7529b692d7a6cc

SHA1
50c535e9cca464afd3a589d2231d87ce417d4312

SHA256
b9cb5501cc2d257e049e1757062523c7f9ee5a85d57d46538fe492125befd26c

SHA512
dfd28b270d99ad89f8ce1df9750b92ff558f73fe2448bf182b5c1c05c7b180bb29175eeaf5a7c918791d64b36167fc1a6044f1aaff838e02e878782f5f6c0ba9

Download Submit
\Users\Admin\AppData\Local\20f94d27-434f-4cec-b30e-878b2f5f1fae\build3.exe
Filesize
47KB

MD5
a9c626805ec95624997fcb889c1673f1

SHA1
021d9724356198b760e7ea229d033f10335a13df

SHA256
4458d76e1d208e772845adcd5e2a7770c3f93c34ccb59ce8268659c8c52f26ec

SHA512
69ba29d2d4b481c24dc7a96893668caca2b2d0c6668bc2090c6bb7ba9d84ba181934da72291a063dcdd8c286e4c863970749f967612ef072e42d133fa71e050a

Download Submit
memory/268-277-0x00000000002F2000-0x0000000000302000-memory.dmp

Filesize
64KB

Download
memory/1500-73-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1500-229-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1500-79-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1500-78-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1500-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1520-335-0x00000000008D2000-0x00000000008E2000-memory.dmp

Filesize
64KB

Download
memory/1744-178-0x00000000008A0000-0x00000000009A0000-memory.dmp

Filesize
1024KB

Download
memory/1744-179-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2056-302-0x00000000008D0000-0x00000000009D0000-memory.dmp

Filesize
1024KB

Download
memory/2272-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2272-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2272-7-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2272-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2272-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2332-182-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2332-180-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2332-175-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2372-1-0x00000000002F0000-0x0000000000381000-memory.dmp

Filesize
580KB

Download
memory/2372-3-0x0000000002D50000-0x0000000002E6B000-memory.dmp

Filesize
1.1MB

Download
memory/2372-0-0x00000000002F0000-0x0000000000381000-memory.dmp

Filesize
580KB

Download
memory/2380-251-0x0000000000902000-0x0000000000912000-memory.dmp

Filesize
64KB

Download
memory/2520-231-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2520-75-0x00000000005E0000-0x00000000005FB000-memory.dmp

Filesize
108KB

Download
memory/2520-76-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2560-27-0x0000000000300000-0x0000000000391000-memory.dmp

Filesize
580KB

Download
memory/2560-29-0x0000000000300000-0x0000000000391000-memory.dmp

Filesize
580KB

Download
memory/2700-48-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2700-49-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2700-34-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2700-169-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2700-56-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2700-55-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2700-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2700-57-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2700-35-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download