Analysis Overview
SHA256
d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386
Threat Level: Known bad
The file d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386 was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Modifies file permissions
Checks computer location settings
Looks up external IP address via web service
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks processor information in registry
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-31 15:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-31 15:04
Reported
2023-03-31 15:06
Platform
win10v2004-20230220-en
Max time kernel
144s
Max time network
153s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\32664ba3-81d2-404c-be85-d85564a5ee1c\\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 636 set thread context of 804 | N/A | C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe | C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe |
| PID 4780 set thread context of 4528 | N/A | C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe | C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe |
| PID 2060 set thread context of 4660 | N/A | C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe | C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
"C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe"
C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
"C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\32664ba3-81d2-404c-be85-d85564a5ee1c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
"C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
"C:\Users\Admin\AppData\Local\Temp\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe
"C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe"
C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build3.exe
"C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe
"C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4660 -ip 4660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 1708
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| NL | 40.126.32.74:443 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 254.217.0.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.155.64.172.in-addr.arpa | udp |
| US | 52.109.13.62:443 | tcp | |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | uaery.top | udp |
| KR | 211.53.230.67:80 | uaery.top | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| IR | 80.210.25.252:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 67.230.53.211.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.25.210.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| IR | 80.210.25.252:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| DE | 78.47.168.170:80 | 78.47.168.170 | tcp |
| US | 20.189.173.14:443 | tcp | |
| US | 8.8.8.8:53 | 170.168.47.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.77.109.52.in-addr.arpa | udp |
| US | 8.247.211.254:80 | tcp | |
| US | 8.247.211.254:80 | tcp | |
| NL | 173.223.113.164:443 | tcp |
Files
memory/804-134-0x0000000000400000-0x0000000000537000-memory.dmp
memory/804-135-0x0000000000400000-0x0000000000537000-memory.dmp
memory/804-137-0x0000000000400000-0x0000000000537000-memory.dmp
memory/636-136-0x00000000023E0000-0x00000000024FB000-memory.dmp
memory/804-138-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\32664ba3-81d2-404c-be85-d85564a5ee1c\d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386.exe
| MD5 | cff4eb11ee8faa70599aca31159a37a4 |
| SHA1 | dbcaa707a0cbd494c266b98582acb64b8d81605e |
| SHA256 | d04c33220b86da0ffe4847811795c7af927a63fba3166a18e016700b963d6386 |
| SHA512 | 028aa4bbb9e0b5b0203bfe4334523801fa5a000f84025f8d3bf1ece8659d862a693169ff15581b1070503709d317cbab2b55234ed5c6e79710d7594c19961d55 |
memory/804-147-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4528-151-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4528-152-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | c6fcc0d51b425936142ae902858bb946 |
| SHA1 | 86641c02a1384ea7c8fadcab4a3be1995ecdf15e |
| SHA256 | 42e25b13b15c6d0d81160b313285d212ae762e16c78c4176e8860ae527e63f61 |
| SHA512 | 030d9eb13f487516bd08adb7015f54b21491453cf8b8f0e31d7be1ebfef8a455d2d7d3470775b90bc184b308c11f2d9264f0cfc66d52d6c33e8c43b9cf803815 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 6a3b8331e801f083b403b0857ed8d574 |
| SHA1 | 48d275731f1dbd0630d1ca55a1b05f149a011d1f |
| SHA256 | 98651a2da4a4613bc2a03c4128926fe6b05f1af8a7a21e1fedec75db013706a0 |
| SHA512 | 7527b8857707c8822e4b7f5049ddc9b4c49933e68535690746d84b7f0187a10f36e874719bdb1bf3ba8b035568a7cbafd687b80c4621dc35552d73f7e497071d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | ee7ad9d8f28e0558a94e667206e8a271 |
| SHA1 | b49a079526da92d55f2d1bc66659836c0f90a086 |
| SHA256 | 9eeeef2cbd8192c6586ffa64114ad0c3e8e5ab3a73817e1044895517c6eba712 |
| SHA512 | 0c1596e7b8e54e0cce8139a339c4c34f5f9391ce0b7051673abe7a43f174f292e0d3267b1ce1186247535941b416962b6fe63cb03855ddea254cf09fddad3223 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | cae9445fa1056bef50f1f24cc2dcd528 |
| SHA1 | 58020dd47e47d8bf6583d37260dcd37cf7d75876 |
| SHA256 | c77571f1d8d06b4f9f341f7a7146246ae5483d91e1ee85158ce7db5fc3a511ee |
| SHA512 | 29d32ca83cdf3b2dc3db42ec4f2850204250a412b5faa1cfa33f7f998ae4b6a138e6bd2929c602cb08626a573301e160c3b1e0fb17f5fc7621e21730f1dfa489 |
memory/4528-157-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4528-159-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4528-163-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4528-166-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4528-165-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe
| MD5 | aa18968e6cfbdc382ada6a3ed2852085 |
| SHA1 | 4a41fa1a182916d5790aa2071106b3441d64468d |
| SHA256 | c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb |
| SHA512 | 8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845 |
C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe
| MD5 | aa18968e6cfbdc382ada6a3ed2852085 |
| SHA1 | 4a41fa1a182916d5790aa2071106b3441d64468d |
| SHA256 | c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb |
| SHA512 | 8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845 |
C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe
| MD5 | aa18968e6cfbdc382ada6a3ed2852085 |
| SHA1 | 4a41fa1a182916d5790aa2071106b3441d64468d |
| SHA256 | c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb |
| SHA512 | 8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845 |
memory/4528-185-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\597768d7-edfb-4852-bceb-9d5e6cd924a8\build2.exe
| MD5 | aa18968e6cfbdc382ada6a3ed2852085 |
| SHA1 | 4a41fa1a182916d5790aa2071106b3441d64468d |
| SHA256 | c165c8db38ef8dd8c33d103b5ee78e9ddafd8081ff0c7c035fa5251f970e6cfb |
| SHA512 | 8ffdacca2b003438fd4874e7c88beedb6ad8cf9cd5b36fda5907751e06a85a829e7d9ce7335fb59590462f78054722bccba511b21db838368c661d993000a845 |
memory/4660-190-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2060-193-0x0000000002D00000-0x0000000002D57000-memory.dmp
memory/4660-194-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4660-192-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4660-195-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4660-206-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/4528-274-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4660-275-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4660-276-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4660-279-0x0000000000400000-0x000000000046C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |