djvu | 66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678

Analysis

max time kernel
299s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
05-02-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
Size

737KB
MD5

93c82a57837aae4227b65a84b2e7c787
SHA1

469d0f9920d93029c4cdf2832d0df9939a17e5e4
SHA256

66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678
SHA512

be00ea6ed8b6c3948374d46a83873adf9f40af21db5dd42985fe736dc46cb03fe72ceb8b5593aa7f30937fd92d064486b3856afd5892f1c67b518e26eba0ae64
SSDEEP

12288:Q2IwAVLmgpXICA9qcs0gsq8TgvHDVEk25wZ5C2UGhh6a+Wh7P3auMkTQ9ymQAd:dAVLmAXku0gs6HDVEkXZ52Ghh9+23hQ

Score

10^/10

djvu vidar 1b9d7ec5a25ab9d78c31777a0016a097 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/964-99-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/964-100-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/964-96-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2772-95-0x0000000000230000-0x0000000000260000-memory.dmp	family_vidar_v7
behavioral1/memory/964-249-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/880-2-0x0000000001D70000-0x0000000001E8B000-memory.dmp	family_djvu
behavioral1/memory/2740-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2740-7-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2740-8-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2740-44-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-52-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-70-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-69-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-74-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-77-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-76-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-78-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-172-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/448-317-0x00000000008C0000-0x00000000009C0000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
2772	build2.exe
964	build2.exe
1556	build3.exe
992	build3.exe
2888	mstsca.exe
2724	mstsca.exe
2784	mstsca.exe
1544	mstsca.exe
448	mstsca.exe
2032	mstsca.exe
2212	mstsca.exe
3012	mstsca.exe
2444	mstsca.exe
1104	mstsca.exe

Loads dropped DLL 11 IoCs

Processes:

66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exeWerFault.exe

pid	process
2844	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
2844	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
2844	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
2844	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2632 icacls.exe

pid	process
2632	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c742ead5-56ce-4620-8010-e6fe51e9dc79\\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe\" --AutoStart"	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 api.2ip.ua
3 api.2ip.ua
4 api.2ip.ua

flow	ioc
16	api.2ip.ua
3	api.2ip.ua
4	api.2ip.ua

Suspicious use of SetThreadContext 9 IoCs

Processes:

66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 880 set thread context of 2740	880	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 2516 set thread context of 2844	2516	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 2772 set thread context of 964	2772	build2.exe	build2.exe
PID 1556 set thread context of 992	1556	build3.exe	build3.exe
PID 2888 set thread context of 2724	2888	mstsca.exe	mstsca.exe
PID 2784 set thread context of 1544	2784	mstsca.exe	mstsca.exe
PID 448 set thread context of 2032	448	mstsca.exe	mstsca.exe
PID 2212 set thread context of 3012	2212	mstsca.exe	mstsca.exe
PID 2444 set thread context of 1104	2444	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2868 964 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2040 schtasks.exe
2736 schtasks.exe

pid	pid_target	process	target process
2868	964	WerFault.exe	build2.exe

pid	process
2040	schtasks.exe
2736	schtasks.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

build2.exe66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe

pid	process
2740	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
2740	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
2844	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
2844	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exebuild2.exebuild3.exebuild3.exebuild2.exe

description	pid	process	target process
PID 880 wrote to memory of 2740	880	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 880 wrote to memory of 2740	880	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 880 wrote to memory of 2740	880	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 880 wrote to memory of 2740	880	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 880 wrote to memory of 2740	880	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 880 wrote to memory of 2740	880	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 880 wrote to memory of 2740	880	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 880 wrote to memory of 2740	880	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 880 wrote to memory of 2740	880	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 880 wrote to memory of 2740	880	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 880 wrote to memory of 2740	880	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 2740 wrote to memory of 2632	2740	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	icacls.exe
PID 2740 wrote to memory of 2632	2740	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	icacls.exe
PID 2740 wrote to memory of 2632	2740	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	icacls.exe
PID 2740 wrote to memory of 2632	2740	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	icacls.exe
PID 2740 wrote to memory of 2516	2740	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 2740 wrote to memory of 2516	2740	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 2740 wrote to memory of 2516	2740	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 2740 wrote to memory of 2516	2740	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 2516 wrote to memory of 2844	2516	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 2516 wrote to memory of 2844	2516	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 2516 wrote to memory of 2844	2516	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 2516 wrote to memory of 2844	2516	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 2516 wrote to memory of 2844	2516	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 2516 wrote to memory of 2844	2516	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 2516 wrote to memory of 2844	2516	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 2516 wrote to memory of 2844	2516	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 2516 wrote to memory of 2844	2516	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 2516 wrote to memory of 2844	2516	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 2516 wrote to memory of 2844	2516	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 2844 wrote to memory of 2772	2844	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	build2.exe
PID 2844 wrote to memory of 2772	2844	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	build2.exe
PID 2844 wrote to memory of 2772	2844	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	build2.exe
PID 2844 wrote to memory of 2772	2844	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	build2.exe
PID 2772 wrote to memory of 964	2772	build2.exe	build2.exe
PID 2772 wrote to memory of 964	2772	build2.exe	build2.exe
PID 2772 wrote to memory of 964	2772	build2.exe	build2.exe
PID 2772 wrote to memory of 964	2772	build2.exe	build2.exe
PID 2772 wrote to memory of 964	2772	build2.exe	build2.exe
PID 2772 wrote to memory of 964	2772	build2.exe	build2.exe
PID 2772 wrote to memory of 964	2772	build2.exe	build2.exe
PID 2772 wrote to memory of 964	2772	build2.exe	build2.exe
PID 2772 wrote to memory of 964	2772	build2.exe	build2.exe
PID 2772 wrote to memory of 964	2772	build2.exe	build2.exe
PID 2772 wrote to memory of 964	2772	build2.exe	build2.exe
PID 2844 wrote to memory of 1556	2844	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	build3.exe
PID 2844 wrote to memory of 1556	2844	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	build3.exe
PID 2844 wrote to memory of 1556	2844	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	build3.exe
PID 2844 wrote to memory of 1556	2844	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	build3.exe
PID 1556 wrote to memory of 992	1556	build3.exe	build3.exe
PID 1556 wrote to memory of 992	1556	build3.exe	build3.exe
PID 1556 wrote to memory of 992	1556	build3.exe	build3.exe
PID 1556 wrote to memory of 992	1556	build3.exe	build3.exe
PID 1556 wrote to memory of 992	1556	build3.exe	build3.exe
PID 1556 wrote to memory of 992	1556	build3.exe	build3.exe
PID 1556 wrote to memory of 992	1556	build3.exe	build3.exe
PID 1556 wrote to memory of 992	1556	build3.exe	build3.exe
PID 1556 wrote to memory of 992	1556	build3.exe	build3.exe
PID 1556 wrote to memory of 992	1556	build3.exe	build3.exe
PID 992 wrote to memory of 2040	992	build3.exe	schtasks.exe
PID 992 wrote to memory of 2040	992	build3.exe	schtasks.exe
PID 992 wrote to memory of 2040	992	build3.exe	schtasks.exe
PID 992 wrote to memory of 2040	992	build3.exe	schtasks.exe
PID 964 wrote to memory of 2868	964	build2.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
"C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
"C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c742ead5-56ce-4620-8010-e6fe51e9dc79" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2632

C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
"C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2516

C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
"C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844

C:\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build2.exe
"C:\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build3.exe
"C:\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build3.exe
"C:\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:2040

C:\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build2.exe
"C:\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build2.exe"
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1432
2⤵
- Loads dropped DLL
- Program crash
PID:2868

C:\Windows\system32\taskeng.exe
taskeng.exe {133863E0-DF14-487A-9434-A26E3487F3E4} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]
1⤵
PID:2660

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2888

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2724

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2784

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1544

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:448

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2032

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2212

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:3012

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2444

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1104

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:2736

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
c59708a86e78530488f2356251e775a2

SHA1
17e33e077261cdd9e54d4e58dfb168f15ee93efb

SHA256
71719971666e64a4f767e8f9d0b52e822189c4bfb1fe449a0e7c8066c82813c2

SHA512
42afd4d2c791ea8cb239130cf4f4d43da0ec39c63049c56796e082282e2ba2f0cd0fd8934b7de3b359ca433b0609ad159fda6f92168168f2d4517f13fbbb3fbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
3b77749854e76f4ff49357fccd93d1c8

SHA1
c76a4d9b6c0a2ae89ae67156dc5106bd70754122

SHA256
0c2f91234ee782c55b5681045a44909f7f05b8c7f85baaa2bc4ca9e0fcd86d34

SHA512
b5ab591e1cfb719d70a9fc7fdd195a7e03e1fa58161a35ae7795af1c51b4ce62ac8450563fdc3fa5cb3b24eb26eca5b8bc7f41b9d6024f72222b937059bc10df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1c35aab763570bf070ea9fabe01c7c1a

SHA1
5ca3d6042629f74fc4b89349d352d090729c311a

SHA256
8c38850f2f224752aad92a19ac0d21a6eb2913ff5c7c6d846164d429e4f68b9f

SHA512
1f401de12c4c229f4cc9d437d6960f49b17dbada7af6f2419cf5fbf89af53003d662862daba1ba1f357d52e88bf5616d7520cca8ce345ebca9d653e39b79de0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e6cbdce835116878c3c32a4ce2653f82

SHA1
bada6c7cc0ce44398b5fea87934ab2241ee387d3

SHA256
c64f75182e066b227043b5b0ce693ae345ea4a3079f7e60cc554ae2edd20f2da

SHA512
f934a6557a07d0f037e9e2c7f76d1bac86ce4bce694c10fa139e83983d68bbda768699e7994b77dd15609b7473cb10e74bfa09e0f3df513921acc56779da716c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
d4bb59fd5ac81e65413582b56c6f5d1e

SHA1
f78fd2ed379d4f48ff94e14fa8a3ecc4321ac4ef

SHA256
f2d0e10b419e06dad3c4c29e35ac2e7de39350eb5765f249ae25244b00b09228

SHA512
02fc0ad5dffccf6ec743764749d2cf943613bfa0961852e3438184190ba4862f3b001c5f00dc1500266ba1629467a6e9fcef7202aef9852edb9e6a1ab7f0c0db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
9115b27e0dd22d0f6418b01cf9bc1644

SHA1
283981532be7844979353c22357bffb871d73d25

SHA256
61f9b7bf1bbc7c8139873b2c1479a89f9455259b12d1a873733eb6a1772e47b6

SHA512
d6656d8680e61f3f54b26337c620b477800a6e5bff2b337ddb23785d227b6a26fff59df75d502c331be824a49c09ce973f164a6660551a2a5589c37d54f862ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3821.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build2.exe
Filesize
385KB

MD5
63e4a9cd7a8b37335b5f18cefc5dd9d2

SHA1
c781a30935afc452b108cc78724b60f389b78874

SHA256
c1e75efde3fd1da605135e5c3ffab0073299c80632d136f8eeba9d4a7c98c70f

SHA512
3818b5966938704c5830acb5426db7791f6ae476853248d8984b1aff35a6722a0684bea54a53ef6ded1f301f6de9ed044d45f007457a9c0f3a7ea3afc7bf0ecc

Download Submit
C:\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build2.exe
Filesize
264KB

MD5
e18a87f7d02d71c3bf6f20d276570b8f

SHA1
a161db49b686f2eadcc364572f6196d0949ab382

SHA256
0ccdbe4a6d183042b9b585c3f228b6b2f3792baa603f470676c7f4dfb14f5159

SHA512
b66b21357441911493015cae759d56f046fbb14e7011ca35b6fd1fca20e1b120045e1c040a8e602e7922a8b3ff936a6942370cdd01cc4e1d35bbfe853314830d

Download Submit
C:\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build2.exe
Filesize
275KB

MD5
eeacbfe3ff974c0161d31774fb3ba526

SHA1
0afb7fac734fcef125ecc5a24f2e76c5e189ce18

SHA256
fac4078542969d5d7056b45b7eb2b3a46f50c302af1308f696b120c4201e1cb9

SHA512
754f51912bd9a6bfba1fb6a7e2c8afca15dff41db6245ad3eacb5e7e5b7eab1730a54815368db15f0fab8e557f1c4b73168f25a9e5066bd58df7275c3ce2b51e

Download Submit
C:\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build2.exe
Filesize
273KB

MD5
c66bb081317e3a26ac09d106dbe457f7

SHA1
b51f73aa02950b832ea05338a2ac1a9ff4238077

SHA256
ff348ef41979fefd329b2e6b46f21b8ab9154f60e58fbf043834d6ed5dc963e1

SHA512
2e92e633dd48032c611487997c4a51c435e4e2d62363b4041941e7649be51c5b0eb94347a25e3d883b466ac4ef8f4ab9e4485b6033d6616ceb90349de7aabadf

Download Submit
C:\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build3.exe
Filesize
256KB

MD5
164bc11a628ff1722c833c8e2642aca5

SHA1
56d2d17695a85b876b736933a7f1cd5cf2acfdb1

SHA256
e76e2fa66070991fff3747fd12185ec795651b8506f290a3f1214b0eab40d330

SHA512
099d1715e47a2c4ea346b432f186ffb6fcd94f9ec6b28ffcf5047a57b686a0135e765db75150ac14420cb9285fb02c8d390751b239a2a9446219da587a89ce9b

Download Submit
C:\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build3.exe
Filesize
212KB

MD5
f2559e3e053c0de1b05d94ee61dd6538

SHA1
fe27f3ebfcbb7b9b02b70a94f818dd5e96bf3b04

SHA256
97a215aafbd0e467756773fa9968691cf2fd9fc92f67e30d30f0a84bb097ab6f

SHA512
d85f37b8d28617d420c1184e9580b55c1ac4be4f179159236038d81d5d61c19a20acff0f7bafd68801f0d423f45af312bc815bfbcc3c724892750f4358d15317

Download Submit
C:\Users\Admin\AppData\Local\c742ead5-56ce-4620-8010-e6fe51e9dc79\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
Filesize
737KB

MD5
93c82a57837aae4227b65a84b2e7c787

SHA1
469d0f9920d93029c4cdf2832d0df9939a17e5e4

SHA256
66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678

SHA512
be00ea6ed8b6c3948374d46a83873adf9f40af21db5dd42985fe736dc46cb03fe72ceb8b5593aa7f30937fd92d064486b3856afd5892f1c67b518e26eba0ae64

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
1KB

MD5
d35c806c95b926208b06f305860de044

SHA1
fd111b2072749c0e2b3f1bb7102e4fbcdd8b931b

SHA256
722325dfc7e0a3d8b9c5bcf978e54f9a90a83ffa5d14372a51dc7c3609fee061

SHA512
cb5f66f83bd6a8ddad6d740479d17352d3a8249ab6fec7ea0ee071dcc7f9855ed378dee61bb65e92d272e3fb8187282ce08d0694550cfa610bf6e6508ec5b6a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
132KB

MD5
1390f6d2873d30cb7e9aab2be4067a93

SHA1
7a19d0686e6bd57532315e92c95e6658e9349a34

SHA256
2b3e573c1f434c6a9d422ee3ca03106017716c309abeccf3553bb9ab6d1fcea4

SHA512
1b28208c4d567b21bc98367bd70ff6e7fd64479829ece4655bae854271fd4b4b71f271fac05d447a82ef3befe9b08b05f5644596d0315e43f6174df403ac7ff3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
250KB

MD5
76ac6a8adad0ea55ab6d23be8d371820

SHA1
45ec5d6373741a874e559d76175cd0e620756670

SHA256
84219cf58c9e5d373368e9a71d21a3444f1fc5cbe615a30225c93f23b198ce69

SHA512
14b6604425a668144fd66d3edbfd8fbeadb73211db2946493ca2c90a98685c1c1beac609383fecb0e7028aaddc7465fa64af41e2fb824c1da76a98fa7a6e1d73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
42KB

MD5
079f35b3e4c5cab6102333e129e692ed

SHA1
39b5fa3310a2c238b6d7550fa626d159c1ebadd8

SHA256
ecb2af815937ec541660c391d8c093e8e8ea0e6de064ebb67fff0db9086957b2

SHA512
40adbc90317b7de4e44ab310d283fecccefcb5252af1f45edfa597cf5ea56d1a96e5aad06ac8fa2ac472a182b00ad2af98abb5cfe18126a76a6be8695005a0b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
34KB

MD5
63118e0b5fa9783164fd276620f10ecb

SHA1
1b36cae543d03a16e4009ed77cb2ea6b0ae429be

SHA256
72c642acb915945033954e53923ae36e3a351316c1dabfb2116ca3dd93e4a8b1

SHA512
64f9453f2fd2d6c582706ddfbb96bea51cf4f052984c5afb7d6eb3ae65eccd6b49f1e711cfa33f865f6ad9110768172c0fcf34b1cdbc6d2fdb5c3886d769d742

Download Submit
\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build2.exe
Filesize
97KB

MD5
7100e09d0c83e4aa6ecfe6454c4f2b5f

SHA1
a56bd9614aba0b29c354cdc19d40ae1d4e34d0b0

SHA256
0b8c3374cc0b0210be8f64d3ddf71917523c465ce5215904cb23b9911d2d679a

SHA512
227539e2a900ef46251b29a4f7aa0cdc9100d7d6466b8eb3616ad922f28def0514289edd021ff280a06fa711c2d531401bb14702a9008870b173ab2f6d529e25

Download Submit
\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build2.exe
Filesize
37KB

MD5
f399063fd08b4770b724fc355fe44566

SHA1
41da874605ad4af2dd9cb2b57793b04eeb56338f

SHA256
909985790f81d52644a6785e5b0961cc724d8082f8017ab61f364b47e754a949

SHA512
8fd117f0e35cf53da86c52a96644130b922b9e3c2e74e0d225a29deabe429fc621167d1f7d8a068ed3dbf75816a6135f5716483b5b9ca6786f3a374ec282d2ba

Download Submit
\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build2.exe
Filesize
11KB

MD5
b5412d10ca981353555729972757f807

SHA1
a5f7c4e12a7ff3f9b89d33b9903b21334f6ef311

SHA256
42b889979d338ab08a9a73d3b0e03fcd5079df94a87d6ae67163bdb35629c751

SHA512
7942a6e0749892c30835a8e59b40d074d9abdade8c4b1b84ffc1a68d39b732a752de1cdcb21d541eda5f5e038be02ae730433aa073ced29aeed079f8a553657b

Download Submit
\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build2.exe
Filesize
1KB

MD5
4b49c6fe09c9c2d4b59bd6cfbeacb12c

SHA1
34592ba710ba16b6df0cda4dc8cfd6db93600062

SHA256
284c248d8da39b056cd78802f016eeecd4d0f55c272de796f9fc3744d3db67bf

SHA512
4a31d9edca2c3c4b21113489627930a2bc444c68a507c08b72ae15f41d23d555b75b4bfe84ab81dd3891735057c0f6eda89143ba49b8940f0a0c7b9e6501d5b3

Download Submit
\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build2.exe
Filesize
5KB

MD5
f9f71e361c1d403b37694cf4a705b65d

SHA1
ed5663bcddd0739d4249e2bed2a9f0ee1c025fa0

SHA256
5ed0b620a5d9f86799ee59456334c50b586fbdbe1304b1002a9aff332b087884

SHA512
d1aa0d586154b67e0a0abae887ff19f0d9fc307e31677a34838d646a8b8ce050c91c9c0369626018a5b1911cd3d812cb087579af00bf8723c1a0cfc81de8b771

Download Submit
\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build2.exe
Filesize
57KB

MD5
0943e38c1543f7adc9847cc219e81dee

SHA1
8422b8a245b11011f77ba189672ca4801b123c35

SHA256
7bac27547b2f836e4c08aa5ab54d7c7ead5fbade1d59904e0f192edd0859aad7

SHA512
8a87548f22e724fcc488dd54ee89b46442232dcf811d1fd30acbb6b2836c65347e1620f42827f34c110a3e5a2ea2746c36ae66def441b762f1397277996d4d97

Download Submit
\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build2.exe
Filesize
56KB

MD5
726009472e1df89d035adbef31b68d65

SHA1
b3c34107745f76edd1bd17d44a4d79fcbd87f0c9

SHA256
d967620aaed470f2858583bd4de7cd67a87818a95d2b9d0b30c0a997238ec194

SHA512
50894254c5be377e2ec848d291036eaf6f9e515972dc8a83812ec64cde0ba833ba87c61f04b290e3c0bd59121d314d8704dd7848672e3aacf1ecea56d237a40a

Download Submit
\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build2.exe
Filesize
342KB

MD5
fd2b6823e5cff5d7d5b0959fce149208

SHA1
0212213887054df39016a3373569f826f8c47cbf

SHA256
c1c1ddb43a2e696001c92ad2fca098aef8721a7824c8eec34889dade7f452c8e

SHA512
582e1f0ce003499523e7add60c67a64a65dfe793a70ebef30729926e82aa095f9d8c24c7df73c33a135d0befcfe489a718c1436e6454135ad2493514c6641601

Download Submit
\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build2.exe
Filesize
323KB

MD5
41c22cf132b6d850941384b841a035ea

SHA1
d6493b3cda050e398de0e8f1ba9250219b91a585

SHA256
ea1d49e479d05b4f501f35bd272f174a1790aec75b1cb787bd421b4bbc03abcb

SHA512
8608b3467caa93792765c17c60cf4d6487a839dfdc061e1f7c6792bc2e93881dcd69884cfd5ac0825ddf2214b41553cc0cf0872e9893fa79142d53faae7a6454

Download Submit
\Users\Admin\AppData\Local\aacdb1fd-d32f-4225-8550-1295c3cdd6ae\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
memory/448-328-0x00000000008C0000-0x00000000009C0000-memory.dmp

Filesize
1024KB

Download
memory/448-317-0x00000000008C0000-0x00000000009C0000-memory.dmp

Filesize
1024KB

Download
memory/880-1-0x0000000000330000-0x00000000003C2000-memory.dmp

Filesize
584KB

Download
memory/880-2-0x0000000001D70000-0x0000000001E8B000-memory.dmp

Filesize
1.1MB

Download
memory/880-0-0x0000000000330000-0x00000000003C2000-memory.dmp

Filesize
584KB

Download
memory/964-249-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/964-99-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/964-92-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/964-96-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/964-100-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/992-217-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/992-231-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/992-228-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1544-290-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/1556-214-0x0000000000980000-0x0000000000A80000-memory.dmp

Filesize
1024KB

Download
memory/1556-215-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2212-346-0x0000000000932000-0x0000000000942000-memory.dmp

Filesize
64KB

Download
memory/2444-373-0x00000000002F2000-0x0000000000302000-memory.dmp

Filesize
64KB

Download
memory/2516-48-0x00000000004D0000-0x0000000000562000-memory.dmp

Filesize
584KB

Download
memory/2516-46-0x00000000004D0000-0x0000000000562000-memory.dmp

Filesize
584KB

Download
memory/2740-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2740-7-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2740-44-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2740-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2740-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2772-95-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2772-93-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/2784-287-0x0000000000910000-0x0000000000A10000-memory.dmp

Filesize
1024KB

Download
memory/2844-78-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-69-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-172-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-77-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-74-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-52-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-70-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-76-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2888-258-0x0000000000932000-0x0000000000942000-memory.dmp

Filesize
64KB

Download