Analysis Overview
SHA256
58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b
Threat Level: Known bad
The file 58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
Detect Vidar Stealer
Vidar
Djvu Ransomware
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:51
Reported
2024-01-15 04:56
Platform
win7-20231215-en
Max time kernel
298s
Max time network
159s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a2d35282-fae8-4629-8a65-b4f4bf65e769\\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
"C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe"
C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
"C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\a2d35282-fae8-4629-8a65-b4f4bf65e769" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
"C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
"C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
"C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe"
C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
"C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe"
C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
"C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 1464
C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
"C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {E83BAB74-7AE2-4AD1-AE09-0419A9B8AEC3} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| KR | 123.140.161.243:80 | habrafa.com | tcp |
| KR | 211.168.53.110:80 | brusuax.com | tcp |
| KR | 123.140.161.243:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
Files
memory/2240-0-0x0000000000240000-0x00000000002D2000-memory.dmp
memory/2240-1-0x0000000000240000-0x00000000002D2000-memory.dmp
memory/2240-2-0x00000000004D0000-0x00000000005EB000-memory.dmp
memory/2916-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2916-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2916-7-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2916-8-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\a2d35282-fae8-4629-8a65-b4f4bf65e769\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
| MD5 | 801d88770313a1b52d78aac315b5e44e |
| SHA1 | 295694fa03a099bb977049b5d0348ae59ffeb6f5 |
| SHA256 | b0922cb660f9d08eee36ea7c11c6109301597c97f420e5e4a5211ff420bac8b2 |
| SHA512 | 04326ffee6c928e1fbb527a6fd6e66eeebcd9ecce1d53dde694cffd2847df1514e2cdc5dffc0785ae9da705298fa76ab7e6fdd5e6d666e5c0f3bc3ccb8fb350b |
memory/2916-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2880-27-0x0000000001CE0000-0x0000000001D72000-memory.dmp
memory/2880-34-0x0000000001CE0000-0x0000000001D72000-memory.dmp
memory/2152-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2152-35-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2880-29-0x0000000001CE0000-0x0000000001D72000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 7a617aacb167ff477b6174ea445129ac |
| SHA1 | a8621d37008de52315fc425204e12e430400b027 |
| SHA256 | 4833a7c1b75f46d2270dd956c6cd8275039d00cd176dc4d5741670928fdd6a10 |
| SHA512 | 040631344987a1195f331c222b04455533a235253da8a854a3bf20d3c9e9fd93effd22f677f25222f52e667e70d5b4e3c8fa7fc2fa1bed54588bdf5178c9e07c |
C:\Users\Admin\AppData\Local\Temp\Cab6CC7.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3b9834a90af53b48e47bc03ce501cef1 |
| SHA1 | 819f847cf6d4f7393d81f8399b798999cf082947 |
| SHA256 | e3b22fe7b710d185c43e5ef21a4e2ff01101ded1eb7fedc277f90972855289a1 |
| SHA512 | b9fcb4b3311f810e6912853b8936ec175f33fbf8e652d18e0a2d23760f4f11bfceac7a9b22c3f6e625773ec9c88ba81c17e49651370e740c2db91b28c3e2c410 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 9f8cb28a41f4e6ce22e66da1394e3493 |
| SHA1 | 89be50044db9b8fe36c9c8ffa583fa85e83086c8 |
| SHA256 | 9e25075febf7fde0e6c7615b06b1e0ca3d5e4629930809eb2d46cd34924f4ead |
| SHA512 | dd7f6289c9821545a979b3516743bed2ba71b4e43ca3b6eee9e7fc0ceaf1c40f8ec817a067ba8050e56195438ccb602b262b64e0f58bd52121715892f234f0f3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
memory/2152-50-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2152-49-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2152-54-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2152-57-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2152-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2152-58-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
| MD5 | ad38fdd0db4c7c0191ae83ce7a61e4ee |
| SHA1 | 6843d68e8290aec4cefc0ba37a8d61a10b1c7e7c |
| SHA256 | 66fa9727b477df887578c3570f26ee57571d0ed82dbdbdcde028fbe1541b5fea |
| SHA512 | 905d95ccebac7d64adfdcdc7a7efc98744713c7ce09edce5ab3ea9f6b885c9e019052887f7bf0d905fe6d231191d83027993d11edff7c9dbdd25f12f6a11bcb2 |
C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
| MD5 | e89bde19fb9b37c089ca3abd84b032d2 |
| SHA1 | bb7544fca99ecc0ad52ada96174aeab60fc73ff3 |
| SHA256 | aef4380723a2bffa187fad845a3b07c1977e3fcad4e4864a63c691da7a3a366c |
| SHA512 | a4a63857e2084559f6a9a1b405057e0105ac6dc2ede932df7ebe3c1967b2df099131b0a37aada12945220eb94cfac691d67d0fe82898d1a9a42096cf60a9772e |
C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
| MD5 | c2e8559bea84c210250b05175275dd91 |
| SHA1 | 21ba87ac0920c39986d1dd6d0f12d707f0f22b0d |
| SHA256 | 7874e9bfac041e51b91565bc75494e41746da7b216daa8de4f14e3038ea1de69 |
| SHA512 | 1d76b016b8eabdc2b54cde0707af1f3a1a691a742db8a34bf338dfbb1269f3a1a6d16ca64c7208565afa652a566c4ba6a66ca0db8fe6d953d644845705318fc3 |
\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
| MD5 | efdf40d4b946d5fe1253d2e40f9c5115 |
| SHA1 | bfa7e266d5260cabb1631b046dad2cf747ed64f3 |
| SHA256 | 0c0589df21420e803078064ff51f209744b2123146cb8072af9120e44a798171 |
| SHA512 | 23c92e5afb065878a8cde7b4ac1d9d53ba590cc039b4b6f944cce2f06efb92ae39cc9735e8fb352aa2087f369a268dddcabeb017e0d18f4b5d24b4b6f56e1b09 |
memory/740-73-0x00000000005B0000-0x00000000006B0000-memory.dmp
memory/2044-79-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
| MD5 | f94c2f0a318fbe7d6abbdb7f94bc996f |
| SHA1 | ef0bc409ee4812c2b7a1dd85c8cabc802e80a1c2 |
| SHA256 | cdeaa3ffd1338cb4b02c66ebfeb6dc6f1070beb6e8fbf501477129d7eff34670 |
| SHA512 | 5ac94bcea0847ef32691e21c64f67aa90f8f09c136695297166681047cc1b3abe0127f1b0a8397163ee5e40fcc38d246bc1cce7e63b3bd0d8318228af70b380d |
memory/2044-80-0x0000000000400000-0x000000000065E000-memory.dmp
memory/740-75-0x0000000000230000-0x000000000027B000-memory.dmp
memory/2044-76-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2044-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
| MD5 | f95ea965e227ac34fcdb0a2861639025 |
| SHA1 | e2249206c9436cb19c6192d418b0aa6c7c3c6d6e |
| SHA256 | 906fd64c362f6750499ae166302d4d8e1268176ceed0f14dfadb8e1d272c0e92 |
| SHA512 | 0a405ac3e0439e8ca87f90abecac99cc094b5bee6e331f115a2058a214450d73703dc98d8eb5e2870483472f620732f16be6144e2945481a335861264e07a538 |
C:\Users\Admin\AppData\Local\Temp\Tar8538.tmp
| MD5 | 1c72ad556b8e38e1c6329e18e5a639c4 |
| SHA1 | 29af4d07dd3346f6bfecbd614825d29d7c60674f |
| SHA256 | 48fb75c2c46735c2410b2322f0e590b5e8878e82fca923b61b02d5a7288ebc63 |
| SHA512 | 2c23e244492da837e9777d5b0bf12173e3458a5f9317b0c2c1305116669111d2451ca475328d69fe88278da071ed4413ff762587a18567b170e392c2b34e57f9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f8fa59842506baabfd6dfb2364632958 |
| SHA1 | aa5ad8196c99651c4d96b341d7dd0ed8f1a9b367 |
| SHA256 | 3b6584ff933e9583ea9c988a65354060522f90c5507edb767b49ed34fb188eaa |
| SHA512 | 1403b765c0567672ba93d5098df503c304b836be9c80c816d3109e68c6e584df41e86cc9ceaf0836138654283f6c63d50f126bd5398781c557f26e1b467caac2 |
C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
| MD5 | a82bf8636c06e7081df3c88f120640be |
| SHA1 | 4277d5f45ced663c86583f9c8e6ff339fae8cf79 |
| SHA256 | 315c021ef2b5fd836b1242309346102c35da6209a54b25207af192283e74267b |
| SHA512 | 8160aa3a0978473c816185d021f6ae993b62f16613cc3c0af71fa619b818de18e8a839b6994821bcc141655585eeeebcf7acd8852c10a0bdfa495164a5f79ab2 |
C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
| MD5 | 38331a82abe588b06cd02561e498c89c |
| SHA1 | 15ecc31f1cac2903830080b760e32740cfae3bb8 |
| SHA256 | c4e53a406513d0af7c491270e3eccd6f0c3c1973c7750a37fcec8c7c5d38e144 |
| SHA512 | c73b68bfe28b9f553b616dbaa90bf95021859702dc1b83e08bed12a0378b1f74b3e9b5e164ebfd74a3664c5c09c596cfb6f6a40a08b48f16229f1639f5c0adcc |
\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
| MD5 | e1851d2ef4776535dda5f7813c664724 |
| SHA1 | 4337e412b5a9612e4fca5f696185fca563a4ffe2 |
| SHA256 | a8e228e248ed175221b672da4f12a21559ed79777b9fcc38c9ba12603f9cc2e4 |
| SHA512 | f50bbde99af3c938756e880b15457f313c3188225637a8e4c03b7ddaf4771cf28cd07772ce58986f46c25a81fec095c639a28895235e9a7a92182e6e127b64de |
memory/2152-152-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
| MD5 | 8b6a819c6926597dfa7529b692d7a6cc |
| SHA1 | 50c535e9cca464afd3a589d2231d87ce417d4312 |
| SHA256 | b9cb5501cc2d257e049e1757062523c7f9ee5a85d57d46538fe492125befd26c |
| SHA512 | dfd28b270d99ad89f8ce1df9750b92ff558f73fe2448bf182b5c1c05c7b180bb29175eeaf5a7c918791d64b36167fc1a6044f1aaff838e02e878782f5f6c0ba9 |
\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
| MD5 | a99dce227407cd4a8ae67fbe37b6079d |
| SHA1 | 81abb6534ac149b97cafa41e580a707de285b790 |
| SHA256 | c6c569d62c9a1ac8d5adc29a449101b71cacaf680766bc97f997a93b2ad3a273 |
| SHA512 | ab309db5b34806dbd733c26c0f4ab42d0b564212c4205d34d7b0a71e81af489927e1bbbfe65bb5e767f7ab3b59a94e9cf32485df32e00f5b98bdedd5e4f1dcd5 |
\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
| MD5 | 2b1044986fed50e3db11f62830caa61e |
| SHA1 | 007be66f57f620becaa579d7b62ad133f9611b9e |
| SHA256 | ecf7cb6948472812e614d5b0d502ca87e363521db2a11bf1a55450b9ab5acda5 |
| SHA512 | 2b06b7e92d2e1ff66de2939a1a1fcb60c38f8bf5847674a28d96aecf214f74c6025e2db91819f43416ae96ffd0847def53afc79d8510748866542fc27dfbba17 |
\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
| MD5 | 667e150e0eaef936810f438619a01955 |
| SHA1 | 3bc7f72365daceecc63162ba53f9b90eb65a7be8 |
| SHA256 | 3c6ab98262ad6701a7e0f1abba0c1ab0d85e2613bda4ece76533267daa30f97f |
| SHA512 | 11cb93f49a3fc1a21488eca1676419511cc1b915db878e0c1978eb1bbeee8aa39d7d14cf2de60bb690dc95aeddd9186f948974178806b0ac6beb200ef368494b |
\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build2.exe
| MD5 | 1bc8b52ac0ae323631fe28dda57f1c0c |
| SHA1 | 333c0d702ed1216ff087e5348646c7d2c5f6b50a |
| SHA256 | ca2a209552033bfdc228bea070a611d8452616fd2cc23ee0b53363f80ff8ea1c |
| SHA512 | 5d1d61e7fd700b75f8ea89a5322f9bdae14486e365bfadb56fb8d20c2a4084cb2b94aa23f50efd692fbc5979cb0e6a0af8c3dfe326baf43d394b13a15e656f56 |
memory/2452-220-0x0000000000312000-0x0000000000323000-memory.dmp
memory/2016-217-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2452-221-0x00000000001B0000-0x00000000001B4000-memory.dmp
C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
| MD5 | 60a12caace88752fd7810023659be910 |
| SHA1 | 9ac460eb628d0b5a7e4aac60af374f817265c236 |
| SHA256 | 45b4414c9bbac9f5725fe3d9dfe48aec2ce4d44a4df8d3bc30a7a8a3555eaaa1 |
| SHA512 | 802caf09043df8f516be8db08859855344aadc2285f04d3da12483a0ca674710149a636745823e58e236ecdbc1894b9d96980c6fa46c59e0669e2e061a1c4db2 |
C:\Users\Admin\AppData\Local\12cca985-bade-45ce-a8c9-b10feb685f45\build3.exe
| MD5 | 8c01266d2ed407f681b1a0b88a81df25 |
| SHA1 | d2b29a1e598e83f6fefe12cec439e6384f1f146d |
| SHA256 | 74156317e67a872f05786ca5080851ca94d9fbcc55905ed141d9910df5651902 |
| SHA512 | 1be9f6398b996782f5d3fb017aa65852cb15cce4c5656ede2b76317e2b23ff84d4c71bb0bc055da3a90b94c5b4d6419e4907759ea6a1e17ec7c0413d65f2bd1a |
memory/2016-223-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2016-222-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2044-226-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2100-241-0x0000000000250000-0x0000000000350000-memory.dmp
memory/1440-266-0x0000000000C30000-0x0000000000D30000-memory.dmp
memory/436-298-0x0000000000900000-0x0000000000A00000-memory.dmp
memory/1468-326-0x0000000000880000-0x0000000000980000-memory.dmp
memory/1468-338-0x0000000000880000-0x0000000000980000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:51
Reported
2024-01-15 04:57
Platform
win10-20231215-en
Max time kernel
298s
Max time network
298s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-33539905-3698238643-2080195461-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d991ce85-6fa1-4d89-903d-859047eaa94a\\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
"C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe"
C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
"C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\d991ce85-6fa1-4d89-903d-859047eaa94a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
"C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
"C:\Users\Admin\AppData\Local\Temp\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe
"C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe"
C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe
"C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 2072
C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe
"C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe
"C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| AR | 186.13.17.220:80 | brusuax.com | tcp |
| KR | 211.181.24.132:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | 220.17.13.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.24.181.211.in-addr.arpa | udp |
| KR | 211.181.24.132:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | tcp | |
| US | 8.8.8.8:53 | 196.0.202.116.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.116.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
Files
memory/220-1-0x00000000005A0000-0x0000000000634000-memory.dmp
memory/220-3-0x00000000023A0000-0x00000000024BB000-memory.dmp
memory/2288-4-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2288-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2288-2-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2288-6-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\d991ce85-6fa1-4d89-903d-859047eaa94a\58147f68d96505cd239782f1a6783d5f03825da44a58fb494801e03aec79cf6b.exe
| MD5 | e22cc391ec96183337fa39658716d352 |
| SHA1 | 6d42eeba5cdef2fbc22e5d0f775f2e848e7004fe |
| SHA256 | 55bc702d0f53bae786546193da6740f2bfc7999f03ebc7b7be76baf16a95ebd9 |
| SHA512 | 67386103d2714077485318d6e48443b5459193b33c2ac4bd58cec08d5e05a7b6e39b18da5550d3ee192b397fa5a7818c0a92636dfce957c93f91b3355e0ca0ff |
memory/2288-17-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2876-20-0x00000000021D0000-0x0000000002272000-memory.dmp
memory/1320-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1320-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1320-24-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 0bf5dcd55d1bf70c75c40bec9e679d78 |
| SHA1 | bb06303922c337e33988dd59f72621a4f73dcc52 |
| SHA256 | f30da7f83c68d205f0ed7c388c627da4991377ce013b897daa67088309d0c0d1 |
| SHA512 | fa725d5f17ae4a98e84deba8e891afc2ac77e80347069dc6ef27a0d7b524b364778d609710faa033c6360d63206b11394847058a77384b2586f7066b4f7b287f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 789c4f9e15f2dfc83e691c1b0adb9df3 |
| SHA1 | 6328e86f30dc8792c911ee3860fb5cfa514937be |
| SHA256 | 60dbf7c296e4da0a7121c492e91c63dff784822db3f399b576272a03d7aead77 |
| SHA512 | e8c34fa47ffa463aea15f1eb0b0d8fa0f9dff5915ecbc65c82b721651804e40b8220297a8440e2c33ca3ff06f440a95fc59a4c1262c6078c3344459e3438a960 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
memory/1320-30-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1320-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1320-34-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1320-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1320-36-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe
| MD5 | c4522c95d578ae0ce61bb5246e06fad9 |
| SHA1 | c4808003b653392e82282f427d2313f2549697fc |
| SHA256 | c358c5e561605d7d093a42bf56ff6e7e0e0b90bfe06896dde5162e7215278fa6 |
| SHA512 | 81e207793d553731d32a5e1fae82aaf17e55cebf6567b4caaac6592b670b6e5a5d1543af7f147744b8309cd357d116d1df49df8078f083320757fc7b35f73047 |
memory/1320-45-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe
| MD5 | 081abf7827e6bbdf42f3df0fe751d40f |
| SHA1 | 597be0cc3c2b541e61b84ef1e772e7d60387dfd3 |
| SHA256 | 98785ba14bf41a1b043d2a3f27a7f40b3efbe58af4e0167394f867d6559c59c9 |
| SHA512 | 0699b2ea49a74ea31772c21c967f999cd03af9ba49b55bf0e5a7c439a02dd7bb91ae5d90ef1c0eacf8a2b8765fd81d2a6f186ed7ca72f832ba2841afe5b36155 |
memory/3860-48-0x00000000005B0000-0x00000000005FB000-memory.dmp
memory/1884-52-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1884-53-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build2.exe
| MD5 | 80466d1e3c1a8d321262938f6c86178b |
| SHA1 | d735dd52915df87857efbd6c323fb327e6198f96 |
| SHA256 | 25c9c2a23350fb899a793a24cdb32d971f33676b303ff25de2f8edd5c89dc0ba |
| SHA512 | 3825a00eda5e91a859f95de28755036dbd3c67f3d004cab2094be34fce71de7164a2a11581445b2c5c7dc206156d3d4009d3269bd25b95eb2ec28fa7d2ea4312 |
memory/1884-49-0x0000000000400000-0x000000000065E000-memory.dmp
memory/3860-47-0x0000000000750000-0x0000000000850000-memory.dmp
C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe
| MD5 | 43e8dcdf963318ec99324c8913783811 |
| SHA1 | 59b47c2b52458f57d1b7360bc581493bbe639352 |
| SHA256 | a3f2c541cda7b170163b241505c6f86d03c3ab279c2881caa0ff837b03a7af4f |
| SHA512 | 4c3b5085c59c1c6f1858e619c6032a735196c604af5e7687986a5d0366b62a7e6380bf17fb8034e7df843f4b67bd170962bbabb049fccd21c6defd93ba697be3 |
memory/1320-63-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe
| MD5 | 0c19c644888b16a4df5076f73b27916e |
| SHA1 | 76071db49d5c2f8ad81bd5d4a5803fe4e201502e |
| SHA256 | 9ce896dfc21f5a1f92439553ce1b419f34e684321e1864b52f6fd73c8d533014 |
| SHA512 | 560ce9f62dc12a8ce34f9c6cf6e54d436e35b8855c9d5fa8c41b6164ed8870b249678ec15d3bc0ecd9348fc0eb9e25b0b9c6db21021bfe4d15de1d9a43fd9e88 |
memory/2196-67-0x0000000000400000-0x0000000000406000-memory.dmp
memory/4012-70-0x00000000001F0000-0x00000000001F4000-memory.dmp
memory/2196-74-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 334373b5bdd0f5e9896cc72c810ab441 |
| SHA1 | c10ece55d561b6753bb78e89a4d74b2f4954aedf |
| SHA256 | 886172f58a393b58952d9e8423812eae1d78987f8f2dd89f07dec8e2fe7fccc6 |
| SHA512 | 3673a099787d5369fd035c742ab112e2a88379758902b17a015a5374c7282c61b8bbc0f0e387f78a43ab7f1a7222e5c1158bf0e399f3f1e2271fc436065ae9c9 |
memory/2196-72-0x0000000000400000-0x0000000000406000-memory.dmp
memory/4012-68-0x0000000000910000-0x0000000000A10000-memory.dmp
C:\Users\Admin\AppData\Local\e4a0b80e-202e-4233-88db-190a8ae9411a\build3.exe
| MD5 | 9a8f5656d62d3fc8fe93a71bd3f98b6e |
| SHA1 | 746353f9c68752150cc2d9a8c5f76ba347d08b96 |
| SHA256 | 38b519820e2c99239fdab16a36c9045f62d24bcb436dc3b924df8f0a5fa54e12 |
| SHA512 | dc3c490695e8a1899ecb776a0769ce8f9877a2400076c7caef742388ede8746b99e1d555d402216cee6dbfbdaee7a605df1fb0f9e548a6c19932cd7ad063b9eb |
memory/1884-77-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/3040-91-0x00000000009C0000-0x0000000000AC0000-memory.dmp
memory/2920-116-0x0000000000980000-0x0000000000A80000-memory.dmp
memory/3616-121-0x0000000000410000-0x00000000004D5000-memory.dmp
memory/4884-143-0x00000000007F0000-0x00000000008F0000-memory.dmp
memory/1636-170-0x0000000000B80000-0x0000000000C80000-memory.dmp