Malware Analysis Report

2025-01-02 11:13

Sample ID 240312-rj4c6acg22
Target fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9
SHA256 fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9
Tags
smokeloader pub1 backdoor trojan dcrat djvu vidar 7462cf1e49890509e46ee7ab1b511527 discovery infostealer persistence ransomware rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9

Threat Level: Known bad

The file fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9 was found to be: Known bad.

Malicious Activity Summary

smokeloader pub1 backdoor trojan dcrat djvu vidar 7462cf1e49890509e46ee7ab1b511527 discovery infostealer persistence ransomware rat stealer

Vidar

Djvu Ransomware

Detected Djvu ransomware

Detect Vidar Stealer

SmokeLoader

DcRat

Downloads MZ/PE file

Loads dropped DLL

Deletes itself

Modifies file permissions

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-12 14:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-12 14:14

Reported

2024-03-12 14:16

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe

"C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 tradein-myus.com udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 trade-inmyus.com udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 13.107.21.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.21.107.13.in-addr.arpa udp

Files

memory/4260-1-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/4260-2-0x0000000000550000-0x000000000055B000-memory.dmp

memory/4260-3-0x0000000000400000-0x0000000000474000-memory.dmp

memory/3268-4-0x00000000028C0000-0x00000000028D6000-memory.dmp

memory/4260-5-0x0000000000400000-0x0000000000474000-memory.dmp

memory/4260-8-0x0000000000550000-0x000000000055B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-12 14:14

Reported

2024-03-12 14:16

Platform

win7-20240221-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\92e23cbe-8f02-4880-8f34-81f8068a8a59\\6BBF.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\6BBF.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\92e23cbe-8f02-4880-8f34-81f8068a8a59\\6BBF.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\6BBF.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1328 wrote to memory of 2588 N/A N/A C:\Windows\system32\cmd.exe
PID 1328 wrote to memory of 2588 N/A N/A C:\Windows\system32\cmd.exe
PID 1328 wrote to memory of 2588 N/A N/A C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2588 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2588 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1328 wrote to memory of 436 N/A N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 1328 wrote to memory of 436 N/A N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 1328 wrote to memory of 436 N/A N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 1328 wrote to memory of 436 N/A N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 436 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 436 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 436 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 436 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 436 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 436 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 436 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 436 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 436 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 436 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 436 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 1428 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Windows\SysWOW64\icacls.exe
PID 1428 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Windows\SysWOW64\icacls.exe
PID 1428 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Windows\SysWOW64\icacls.exe
PID 1428 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Windows\SysWOW64\icacls.exe
PID 1428 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 1428 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 1428 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 1428 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 2340 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 2340 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 2340 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 2340 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 2340 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 2340 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 2340 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 2340 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 2340 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 2340 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 2340 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\Temp\6BBF.exe
PID 2148 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
PID 2148 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
PID 2148 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
PID 2148 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
PID 2924 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
PID 2924 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
PID 2924 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
PID 2924 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
PID 2924 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
PID 2924 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
PID 2924 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
PID 2924 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
PID 2924 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
PID 2924 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
PID 2924 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe
PID 1772 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1772 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1772 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1772 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2148 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build3.exe
PID 2148 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build3.exe
PID 2148 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build3.exe
PID 2148 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\6BBF.exe C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build3.exe
PID 2100 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build3.exe C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe

"C:\Users\Admin\AppData\Local\Temp\fa62c0963b5585dda927bd51381275ab1c7d0b2bbbe0ca1d4f7221c4c4987ab9.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\B6C1.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\6BBF.exe

C:\Users\Admin\AppData\Local\Temp\6BBF.exe

C:\Users\Admin\AppData\Local\Temp\6BBF.exe

C:\Users\Admin\AppData\Local\Temp\6BBF.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\92e23cbe-8f02-4880-8f34-81f8068a8a59" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\6BBF.exe

"C:\Users\Admin\AppData\Local\Temp\6BBF.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6BBF.exe

"C:\Users\Admin\AppData\Local\Temp\6BBF.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe

"C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe"

C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe

"C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1400

C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build3.exe

"C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build3.exe"

C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build3.exe

"C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\56E9.exe

C:\Users\Admin\AppData\Local\Temp\56E9.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\5BCA.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 124

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
SA 139.64.16.239:80 sdfjhuz.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 188.114.96.2:443 api.2ip.ua tcp
US 188.114.96.2:443 api.2ip.ua tcp
SA 139.64.16.239:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
RU 31.41.44.192:80 trad-einmyus.com tcp
KR 211.168.53.110:80 sajdfue.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
KR 211.168.53.110:80 sajdfue.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 49.12.116.63:80 49.12.116.63 tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
RU 31.41.44.192:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 188.114.97.2:443 valowaves.com tcp

Files

memory/2752-1-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/2752-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/2752-3-0x0000000000400000-0x0000000000474000-memory.dmp

memory/2752-5-0x0000000000400000-0x0000000000474000-memory.dmp

memory/1328-4-0x0000000002740000-0x0000000002756000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B6C1.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\6BBF.exe

MD5 109125669dc1ccce29f0c630d2d985eb
SHA1 2d1b211ff69b6d3ff178ee9716263631e8f39027
SHA256 1718fb956c30c4a56490ecfc903ef34ed514ec13c1101d44ff4cf87095e5b064
SHA512 92bbf2eb15f7083bf5b3d376e15289c5d5e027b38100ec7cf5db6f811fde1a8e21ef32c87b9dd5120c096fdfcb7307fe4987e5c92d81fbd2c2807bb076074ea9

memory/436-26-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/1428-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/436-32-0x0000000001AB0000-0x0000000001BCB000-memory.dmp

memory/1428-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/436-29-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/1428-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1428-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1428-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2340-60-0x0000000001D20000-0x0000000001DB1000-memory.dmp

memory/2340-62-0x0000000001D20000-0x0000000001DB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6BBF.exe

MD5 c4befa0e8d594ee8504d11bd95363f11
SHA1 09ba7bdba681ddc0da76078786835b545fdf3b0c
SHA256 6f051d5499a5b2420e331d93c93cf65de64e4a82c74774d45945378ae83a792a
SHA512 cd8f7da6acbfdc2a018c62c7f267287b97b79c0481bfb1f46f8c57f0757ac1503f51bb76729486428ee555b072f3718ecf41b0eeb4b6fd35ca8bc192e40fb35e

memory/2148-68-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2148-69-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ae53fb97098dffc754f32ef790ecda4
SHA1 a754c34c838ce509662e963b493c6446df313220
SHA256 a1e8264a1e90d706894871f0f061b1b75a88c8047d46014e346a0eece9e440b3
SHA512 13618b7251c2f5b0340140e7b2e9e751ee1da746364b2e3299cfb8f176f0049d6893e1e3dddbefc1cd7734a86b6cc7b756cd61ef0d3f8790097a4fd6a3d1b9d6

C:\Users\Admin\AppData\Local\Temp\Cab7A8D.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 f2037fd5e8ca55fddbf1f170f115c8b0
SHA1 a1c1d017202d0d2ccf569f233d82ef2aae0f1ed8
SHA256 f61f3d7a11dcfb94bc2b982b262e22bb8327579ec965044be64a2ab3fefa0e19
SHA512 74293572f43d0ee9d3d9ea7fbd6c28fbe3a15725a65a371e8bf4acb8e0d4c8b0d1ae0e4689c5f83758c2cdc013a1d7e975fb784dde54fd642e754aafea1a76f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 ff795f8a318e910f78b1a6c3b93b52fc
SHA1 2f0e2cdc8b86b25f89cdbeea062b13f9aef4d918
SHA256 13624cfe1e8f87157b1bd677159aebc1f38802b103c3a3f5646c90232dc06e7e
SHA512 9c3703fca9864380bd2dcba9f198b4f3456958a9d5f5689cbc33a9bf6156955d0afd0109ffd4dc1ed13bf806529f89624b78f88d30b422f4d2f6fad1e6dcf0cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 96c168d1da1dbb217ecdced801f1a709
SHA1 2f3c322fb0b73562a9c68832b3e4def3fc174fd1
SHA256 f5a1ed2582a0b6b67eaf6445372ff3364fcb55c4be44b26e20f9607342eb9e64
SHA512 e52fd60ed89af169523888ba4843190de415cd1a9cf0f2f07dd19dd188aa0903efdf84e4c992b68e3e88ace8d7df3eb069849536616626bd73c6f8165fcaa6e5

memory/2148-82-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2148-83-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2148-87-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2148-89-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2148-90-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2148-91-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe

MD5 88c5ca503e8fecbca8ee889a892b165c
SHA1 2ec61a72dc88584abda48f19fb8e4d2847264aed
SHA256 41f6207540f5197717e1c601b43c9c89a5109ff3aab98fe80f6645f0ebd2a153
SHA512 366035a481a439854094d13f8a0b9bf26e706dd43100421d92724baa1f9b1ceac74669e42e9331867a3c364f8e2f0c05d3387e5dea9d8669d29832614fa7b4b9

C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe

MD5 dbb41c5a383b289ca00a4e76fde8422a
SHA1 2e1cb2560e4025b90f2a542fd18cfc0e496866a7
SHA256 750a15992ff2cf95d476522cca5f3701b9345f253f1e99d3ae771bce7afe19a2
SHA512 bdebbcaeca416b2b98a2b307e7982dc893262489532d33caec4a6151a0d86a7b59bde6c46fbe9257e03e7cdb6bc027f1670dd15ed00f4a578c0343a98eb500aa

C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe

MD5 bcf4fd3bbde3f4a6c8ddb809176b19d2
SHA1 19a54fb718ae99436c1606578e1ed5463bbeaa21
SHA256 e27ca368557ea5ea75e14b39cfcb87baccc4aae110a2a5e79b5f7e0cc8efad26
SHA512 9d9121c0a3f4f5f7c13baaa21251359fa26cdd32ed12b38fbce02d9f79560357a794080a3c81c2382b790b9c0049df95549fe749aabb5377aa2da7c1e22d3a1e

\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build2.exe

MD5 bbbdc9a7e54f141ad10aba91e4bd7860
SHA1 ff3b57fffa6d1318617e4a54c2870e9127dc7cbe
SHA256 8cb3b6f4d27e943cbfd0169f81886c097e6599f6002474bc99170ddfddef61d9
SHA512 90979b6e9c8764c3edf8271a969e2ed3ae6b8a8bbf3cd45e1d825897429bb21aa45f947f75d604dd252521a8d08dfd21b18f03608a3684c345857d33558efc7e

memory/2924-109-0x0000000001BD0000-0x0000000001CD0000-memory.dmp

memory/1772-108-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1772-106-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2924-110-0x0000000000230000-0x0000000000261000-memory.dmp

memory/1772-113-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1772-114-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarCD3F.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\TarD060.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/1772-153-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1772-160-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\4e9a5a41-5e99-467d-90e0-333cb06d3868\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2148-171-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2768-176-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2100-179-0x00000000008D0000-0x00000000009D0000-memory.dmp

memory/2100-181-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2768-180-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2768-184-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2768-185-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\56E9.exe

MD5 9e52aa572f0afc888c098db4c0f687ff
SHA1 ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA256 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512 d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

memory/2692-194-0x0000000000B10000-0x00000000017F5000-memory.dmp

memory/2692-208-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2692-211-0x0000000000B10000-0x00000000017F5000-memory.dmp

memory/2692-210-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2692-214-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2692-213-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2692-221-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2692-218-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2692-216-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2692-247-0x0000000000210000-0x0000000000211000-memory.dmp