Analysis Overview
SHA256
3c376fc86e08d64b331923b4f2ce1cf4348192f3c247fc82a04ff20664f20186
Threat Level: Known bad
The file 3c376fc86e08d64b331923b4f2ce1cf4348192f3c247fc82a04ff20664f20186 was found to be: Known bad.
Malicious Activity Summary
Vidar
Detected Djvu ransomware
Djvu Ransomware
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Checks installed software on the system
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-29 10:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-29 10:50
Reported
2022-11-29 10:53
Platform
win10-20220901-en
Max time kernel
73s
Max time network
138s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build2.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6e9d5f81-3c59-4645-a336-5b036a96b563\\3c376fc86e08d64b331923b4f2ce1cf4348192f3c247fc82a04ff20664f20186.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\3c376fc86e08d64b331923b4f2ce1cf4348192f3c247fc82a04ff20664f20186.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2656 set thread context of 4996 | N/A | C:\Users\Admin\AppData\Local\Temp\3c376fc86e08d64b331923b4f2ce1cf4348192f3c247fc82a04ff20664f20186.exe | C:\Users\Admin\AppData\Local\Temp\3c376fc86e08d64b331923b4f2ce1cf4348192f3c247fc82a04ff20664f20186.exe |
| PID 3576 set thread context of 4480 | N/A | C:\Users\Admin\AppData\Local\Temp\3c376fc86e08d64b331923b4f2ce1cf4348192f3c247fc82a04ff20664f20186.exe | C:\Users\Admin\AppData\Local\Temp\3c376fc86e08d64b331923b4f2ce1cf4348192f3c247fc82a04ff20664f20186.exe |
| PID 4876 set thread context of 2204 | N/A | C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build2.exe | C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build2.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3c376fc86e08d64b331923b4f2ce1cf4348192f3c247fc82a04ff20664f20186.exe
"C:\Users\Admin\AppData\Local\Temp\3c376fc86e08d64b331923b4f2ce1cf4348192f3c247fc82a04ff20664f20186.exe"
C:\Users\Admin\AppData\Local\Temp\3c376fc86e08d64b331923b4f2ce1cf4348192f3c247fc82a04ff20664f20186.exe
"C:\Users\Admin\AppData\Local\Temp\3c376fc86e08d64b331923b4f2ce1cf4348192f3c247fc82a04ff20664f20186.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\6e9d5f81-3c59-4645-a336-5b036a96b563" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\3c376fc86e08d64b331923b4f2ce1cf4348192f3c247fc82a04ff20664f20186.exe
"C:\Users\Admin\AppData\Local\Temp\3c376fc86e08d64b331923b4f2ce1cf4348192f3c247fc82a04ff20664f20186.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\3c376fc86e08d64b331923b4f2ce1cf4348192f3c247fc82a04ff20664f20186.exe
"C:\Users\Admin\AppData\Local\Temp\3c376fc86e08d64b331923b4f2ce1cf4348192f3c247fc82a04ff20664f20186.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build2.exe
"C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build2.exe"
C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build3.exe
"C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build2.exe
"C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.2ip.ua | udp |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 8.8.8.8:53 | uaery.top | udp |
| N/A | 8.8.8.8:53 | fresherlights.com | udp |
| N/A | 116.121.62.237:80 | fresherlights.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 116.121.62.237:80 | fresherlights.com | tcp |
| N/A | 8.8.8.8:53 | t.me | udp |
| N/A | 149.154.167.99:443 | t.me | tcp |
| N/A | 95.217.31.208:80 | 95.217.31.208 | tcp |
| N/A | 20.189.173.2:443 | tcp |
Files
memory/2656-120-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-121-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-122-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-123-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-124-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-125-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-126-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-127-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-128-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-129-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-130-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-131-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-133-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-132-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-134-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-135-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-136-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-137-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-138-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-139-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-140-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-142-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-143-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-144-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-145-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-146-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-147-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2656-148-0x00000000021F0000-0x0000000002287000-memory.dmp
memory/2656-149-0x0000000002310000-0x000000000242B000-memory.dmp
memory/2656-150-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-151-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4996-152-0x0000000000424141-mapping.dmp
memory/4996-153-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-154-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-155-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-156-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-157-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-158-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4996-160-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-159-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-161-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-163-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-162-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-165-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-166-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-164-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-167-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-168-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-169-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-170-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-172-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-171-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-174-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-173-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-175-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-176-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-177-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-178-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-179-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-180-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-181-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-182-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-183-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-184-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-185-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-186-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-187-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/4996-208-0x0000000000400000-0x0000000000537000-memory.dmp
memory/804-223-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\6e9d5f81-3c59-4645-a336-5b036a96b563\3c376fc86e08d64b331923b4f2ce1cf4348192f3c247fc82a04ff20664f20186.exe
| MD5 | 600f9e2655063f0d028a052e876c1027 |
| SHA1 | eb5014b5be86c70358642e3ed9cb3501996ea758 |
| SHA256 | 3c376fc86e08d64b331923b4f2ce1cf4348192f3c247fc82a04ff20664f20186 |
| SHA512 | 90b89893c675176968cbd43e1c53f54f22d07437e2ad05d69a1135651eec5b7875f558634b055e7d126b0dbd73f5a6690747f679dcb1f561f934b6f834761a41 |
memory/3576-249-0x0000000000000000-mapping.dmp
memory/4996-254-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4480-279-0x0000000000424141-mapping.dmp
memory/4480-341-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 76e7d5bf61b2e80d159f88aa9798ce91 |
| SHA1 | 32a46de50c9c02b068e39cf49b78c7e2d5ace20d |
| SHA256 | 280fd6ae3ad21323199759814c4dd82329eb8f9847ed1fa2be145e83b4c88bf3 |
| SHA512 | 5efd8c64ac40ae006d2ce4509eb9e5f1448fb1156e914d303e8bc4dcfe1d94c57c7eae216b362877e7b644876656cc9e5c4cebfc905bab3f8b09cb1a051d69c4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 1473325371624e7c7eb48d4a9ee40b0f |
| SHA1 | e164076ca13bab34cfe18f9c4c05100203db93c2 |
| SHA256 | a89e5215722cb0884e1d6c5312c02a4cd8dcacff698a25f5540dd7dade4a830c |
| SHA512 | 2f5c820c8caa9999c44a64f3d6079db4b00880e5d0b97656014289675fd8357d21f03ee6f1cf64ce708456cbf7bcf49f97e7d1709e01457a9984ca280b78c803 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 916c512d221c683beeea9d5cb311b0b0 |
| SHA1 | bf0db4b1c4566275b629efb095b6ff8857b5748e |
| SHA256 | 64a36c1637d0a111152002a2c0385b0df9dd81b616b3f2073fbbe3f2975aa4d8 |
| SHA512 | af32cffea722438e9b17b08062dc2e209edc5417418964ead0b392bd502e1a647a8456b2ee2ea59faf69f93d0c6ea6f15949b6c30924db7da65b91cb18e8dc6c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | ae51d8463214ebe5714631d2c71908ee |
| SHA1 | 85ad48465f99ee6e65c0a12b04f3af8909fea084 |
| SHA256 | 6472353bb0927a01a20275dff48cfd9a827fb09e2ce4d33977b0fe18e6107118 |
| SHA512 | b491cebc5e582861881a40235248865de19e430bb2e431ec39255d4eeed8d123de8db109173a0f2010291af6c618c4c4afa2cb14a1a156eb22cd1149ea6863e4 |
memory/4876-359-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build2.exe
| MD5 | 03ddc9dc7312d33ad1c5f6ed2d167645 |
| SHA1 | e75de38aee3b0beb5cc91334ecbd8a876c8351a6 |
| SHA256 | 60724da01de35adee6cb34317cd2947fbcb791a8381386d79072857a19a58708 |
| SHA512 | 9a23eb681563719a6ad9202038a307e842b9a60c16aec2f01ce422feca11ac8d6e1d0e9a30e110e17bec4421121643ac87f075eae8bf127dca2213f7a2c6f1aa |
C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build2.exe
| MD5 | 03ddc9dc7312d33ad1c5f6ed2d167645 |
| SHA1 | e75de38aee3b0beb5cc91334ecbd8a876c8351a6 |
| SHA256 | 60724da01de35adee6cb34317cd2947fbcb791a8381386d79072857a19a58708 |
| SHA512 | 9a23eb681563719a6ad9202038a307e842b9a60c16aec2f01ce422feca11ac8d6e1d0e9a30e110e17bec4421121643ac87f075eae8bf127dca2213f7a2c6f1aa |
memory/668-395-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/920-430-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\244d5f85-3966-4a43-b4e6-49a531396fe1\build2.exe
| MD5 | 03ddc9dc7312d33ad1c5f6ed2d167645 |
| SHA1 | e75de38aee3b0beb5cc91334ecbd8a876c8351a6 |
| SHA256 | 60724da01de35adee6cb34317cd2947fbcb791a8381386d79072857a19a58708 |
| SHA512 | 9a23eb681563719a6ad9202038a307e842b9a60c16aec2f01ce422feca11ac8d6e1d0e9a30e110e17bec4421121643ac87f075eae8bf127dca2213f7a2c6f1aa |
memory/2204-457-0x000000000042353C-mapping.dmp
memory/4876-460-0x00000000008CA000-0x00000000008F6000-memory.dmp
memory/2204-502-0x0000000000400000-0x000000000045F000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/4480-562-0x0000000000400000-0x0000000000537000-memory.dmp
memory/972-570-0x0000000000000000-mapping.dmp
memory/2204-572-0x0000000000400000-0x000000000045F000-memory.dmp
memory/3692-577-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/1156-633-0x0000000000000000-mapping.dmp