Analysis Overview
SHA256
8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9
Threat Level: Known bad
The file 8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9 was found to be: Known bad.
Malicious Activity Summary
Vidar
Detected Djvu ransomware
Detect Vidar Stealer
Djvu Ransomware
Downloads MZ/PE file
Executes dropped EXE
Modifies file permissions
Loads dropped DLL
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:55
Reported
2024-01-15 05:00
Platform
win7-20231215-en
Max time kernel
299s
Max time network
165s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8268814b-eceb-4584-95c5-fd9651381e30\\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
"C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe"
C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
"C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\8268814b-eceb-4584-95c5-fd9651381e30" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
"C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
"C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe
"C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe"
C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe
"C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe"
C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe
"C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe"
C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe
"C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1464
C:\Windows\system32\taskeng.exe
taskeng.exe {3340BD73-419C-43A9-9AE8-1D1AFD7335C5} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| KR | 211.181.24.133:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| MX | 201.119.97.253:80 | habrafa.com | tcp |
| MX | 201.119.97.253:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
Files
memory/2256-0-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2256-1-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/1992-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2256-3-0x0000000002260000-0x000000000237B000-memory.dmp
memory/1992-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2256-7-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/1992-8-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1992-9-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\8268814b-eceb-4584-95c5-fd9651381e30\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
| MD5 | 565c475cae0e0db1c7f91152d5b5e8f2 |
| SHA1 | 11af57d84807b03b63ff723c67e2f6cc7d7a1bb8 |
| SHA256 | 8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9 |
| SHA512 | aebefd3c27131765a0763cc58032fabf98521e63507b2b275754eeb10565b5a3f4a598bda0dcf2e1df269493cfb456607b45142a0bb904ecf4d48c60907101c4 |
memory/2560-28-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/1992-27-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2560-30-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2424-35-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2424-36-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 00a04ef073b717a5f9f243a07b6a0778 |
| SHA1 | d2d797aa88a0e8154e99e9d570b46933d99682ec |
| SHA256 | b1315d5a90f25e76f77eecd619b5c4f407d30760e94514f40a0a3f112595a12a |
| SHA512 | 1dd489f8163f6da6640a46b6bedb38d036ee88437b23cf7b5d00887d578a4e2da18878ae6e8fd4aaaba2b28412132d8b238169c0dbddfcebfa767a1b085047be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 6289fae3ab603fb4bbe270375e594ca7 |
| SHA1 | 739a20bf73206fb8034f4b167642c8e1663176b1 |
| SHA256 | 004b2cf168e540cca660858526d02cd9ec285c7eff0bdc886b56c0e5906d4f00 |
| SHA512 | a7f7f6a744243155456032fc6f900c6e9b1bd105d66edd777873a9c95d10c04f1b8b358c43ded100436a707448300172344bbcb87d0911dfc03599d9dcc8d7ef |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\Local\Temp\CabA341.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f4f6717b6e4da85e5b2e3034ae56c772 |
| SHA1 | 05f0cbf878796f49a353885fb393259d7db0a1da |
| SHA256 | 765abbe4dd76f9ba381a9fd8ec170b30983fc7a5a80dc7f13cd2deae2f76ae0c |
| SHA512 | f2ea8ec59d2de9ff9b6f55adc870d6bb6a46c8efb19f2d3c52be33ff4327ea68fa69fae0f40666f9ccd96723efda3df73976e96bb5da7a4df72458411b9eb1c3 |
memory/2424-49-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2424-50-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2424-54-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2424-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2424-57-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build2.exe
| MD5 | c4070da9f9b0581171af16e681ccdff8 |
| SHA1 | 3fb4182921fdc3acd7873ebe113ac5522585312a |
| SHA256 | 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0 |
| SHA512 | c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427 |
memory/2144-70-0x00000000008C0000-0x00000000009C0000-memory.dmp
memory/2144-73-0x0000000000230000-0x000000000027B000-memory.dmp
memory/1528-75-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1528-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1528-78-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1528-79-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2424-80-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\a2163dd7-f060-4d1c-b479-33dd803bbbc8\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2424-91-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarBCCB.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
memory/2852-167-0x0000000000920000-0x0000000000A20000-memory.dmp
memory/2852-169-0x0000000000220000-0x0000000000224000-memory.dmp
memory/824-170-0x0000000000400000-0x0000000000406000-memory.dmp
memory/824-173-0x0000000000400000-0x0000000000406000-memory.dmp
memory/824-175-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1528-237-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2916-247-0x0000000000230000-0x0000000000330000-memory.dmp
memory/808-271-0x00000000008B0000-0x00000000009B0000-memory.dmp
memory/2600-300-0x0000000000250000-0x0000000000350000-memory.dmp
memory/2648-329-0x00000000008A0000-0x00000000009A0000-memory.dmp
memory/2732-358-0x0000000000290000-0x0000000000390000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:55
Reported
2024-01-15 05:00
Platform
win10-20231220-en
Max time kernel
13s
Max time network
300s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e83253ac-c548-4ae9-ba5d-daf40a11c3e7\\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 32 set thread context of 5096 | N/A | C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe | C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe |
| PID 652 set thread context of 4376 | N/A | C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe | C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
"C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe"
C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
"C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe"
C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
"C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\e83253ac-c548-4ae9-ba5d-daf40a11c3e7" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
"C:\Users\Admin\AppData\Local\Temp\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build2.exe
"C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build2.exe"
C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build2.exe
"C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build2.exe"
C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build3.exe
"C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 2124
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build3.exe
"C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build3.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| MX | 201.119.97.253:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | 253.97.119.201.in-addr.arpa | udp |
| KR | 211.181.24.133:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 133.24.181.211.in-addr.arpa | udp |
| MX | 201.119.97.253:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | tcp | |
| US | 8.8.8.8:53 | 196.0.202.116.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | tcp | |
| DE | 116.202.0.196:10220 | tcp | |
| DE | 116.202.0.196:10220 | tcp | |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
Files
memory/5096-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5096-6-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5096-4-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5096-3-0x0000000000400000-0x0000000000537000-memory.dmp
memory/32-2-0x00000000027C0000-0x00000000028DB000-memory.dmp
memory/32-1-0x0000000002720000-0x00000000027B3000-memory.dmp
C:\Users\Admin\AppData\Local\e83253ac-c548-4ae9-ba5d-daf40a11c3e7\8eaab3be19d780dc79e63aea6a88880880c8a9fcc6b8a729e8db0b8e1aaedef9.exe
| MD5 | a3790a729a8151b6ef93264c3453a43b |
| SHA1 | 49a5fd7ec7d173e951482399854b4d88e9b4ec97 |
| SHA256 | 9bb8f59333ce6ff89161dd00816ed4bad8522954e57fa2b86ceee8e585a018a0 |
| SHA512 | 784123dc09c0fbf28d16e9b26bfa3e334474a816c3e93fc3d6dd2c9be607ea48baf7658f24e3518190879f548834aa2e0faeb1e47581ae1ca5ec0700f2d66c01 |
memory/5096-17-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4376-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4376-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4376-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/652-20-0x00000000023D0000-0x000000000246A000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | ef951804d83d42e94093d6f68c07f9d2 |
| SHA1 | 864e4060cb37218705d153ff2c8d553fe9b318c2 |
| SHA256 | d6ad7cd11a8ed0a8aaaf5517cf22e56ec54a0a191c1bf51d0ef3cacdb8be6640 |
| SHA512 | 52baa65e1282b5a639bef6d0b1f807dda888df48832a8ee85d05fbc1623e5aaa3fb25b6185f8f0207ed67cf87465d8bdcc76f24c892c6867764afd2d51bfd651 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | a5880bb558f251bf49601bdbc890a20a |
| SHA1 | f43fd9888c04ce6ea577d11091ec0a677a9be5c3 |
| SHA256 | 1ac8406c325ff9be59cda63c503f97f6d3c8755fbc0e4e15513005b53e16727c |
| SHA512 | e619f75a15b0452f3d341e3da5a4c932983e4d2cf11d47c06e722fc942627fad203c157c439fdede7f212021a2700628386873018b194a394ca154139faa8b8f |
memory/4376-30-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4376-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4376-34-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4376-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4376-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4376-38-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build2.exe
| MD5 | d7013d4a16dcb0ae1c0ac2c19efe97ea |
| SHA1 | 8d5d3fe7ac2185590945ddc1a9d2f57c2adc1798 |
| SHA256 | 5f14916a8a0774595b499bad71b3b7b99b975988c385d1f6ed1da193fbd55e8b |
| SHA512 | 3f57ec1b2846268a23168274961688895e2237fb0a3436f05b8f646c8ac06346930768832cfd8e0299da00a3901b7d0cc3ae42b363c11451a99dc96cc39e936b |
C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build2.exe
| MD5 | 227bfb0951a0d2f67a8a6e5aee226287 |
| SHA1 | cf91ffd1b9c0d31376b4f4b418f7749af3b1ae83 |
| SHA256 | c94b13569cd5a65aca14485be5c22d6d7d50ecb00168225c85427be51ceb0b41 |
| SHA512 | 2105a7c8a4092ab0c2475e909abc541b68835557a310f28c45c6614c9ed0b8438f482abdfda2558e240002b0520e33e519e9189fbb9b2c25727db2bfc2cbd288 |
memory/3096-50-0x0000000000630000-0x0000000000730000-memory.dmp
memory/3096-52-0x00000000020D0000-0x000000000211B000-memory.dmp
memory/768-53-0x0000000000400000-0x000000000065E000-memory.dmp
memory/768-51-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build2.exe
| MD5 | dc94417658b1f709196f99a4aefc5d07 |
| SHA1 | eee92c99e882bd027724d07397fbf2be12fad50c |
| SHA256 | af3af3b808598bd7c394873d6fd849c86b7b065e46389711924381da30791311 |
| SHA512 | bf3fc3cf9cf271d928a9d7c81f04204fee8b91a76b02a8b99f59fcdd57e26b1fe656dd443cc002d1b841ca155de7bb41053514d9460ea72dc9b75cd150664b16 |
memory/768-47-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build3.exe
| MD5 | 2185ec6ff89c19bedd26198d18c6fdfd |
| SHA1 | ec9258ae360862f5aeb4f9002162fdf0d32750bb |
| SHA256 | ec7529430a9fa15bb599f5d8c28f61f3bf124a40bb8bfb5565828f5c8cb145ce |
| SHA512 | 011520c59b9cd6b27197fe00dc14ead319a02b6d2fb89693624ce322b78d3c2ae3371d946d9f66461994afb4248f6f563ec190a1558fe82493eaa75376857232 |
C:\Users\Admin\AppData\Local\114a5cb3-dbbe-4e93-9e9c-b58f5e3d0f73\build3.exe
| MD5 | 8b6a819c6926597dfa7529b692d7a6cc |
| SHA1 | 50c535e9cca464afd3a589d2231d87ce417d4312 |
| SHA256 | b9cb5501cc2d257e049e1757062523c7f9ee5a85d57d46538fe492125befd26c |
| SHA512 | dfd28b270d99ad89f8ce1df9750b92ff558f73fe2448bf182b5c1c05c7b180bb29175eeaf5a7c918791d64b36167fc1a6044f1aaff838e02e878782f5f6c0ba9 |
memory/4376-60-0x0000000000400000-0x0000000000537000-memory.dmp
memory/768-66-0x0000000000400000-0x000000000065E000-memory.dmp
memory/3096-69-0x00000000020D0000-0x000000000211B000-memory.dmp
memory/768-68-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1428-74-0x0000000000909000-0x000000000091A000-memory.dmp
memory/516-80-0x0000000000410000-0x0000000000411000-memory.dmp
memory/516-79-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/516-77-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1428-76-0x0000000000860000-0x0000000000864000-memory.dmp
memory/516-71-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | cd96202c79ed00694ab8e766210e2273 |
| SHA1 | a4b3ce543f04d25ea82d32761b5740429abc8f6d |
| SHA256 | 53aed3f1047e9c5ab66b3b859540821c274ca25b0947e68dba892f87a806f91e |
| SHA512 | aaa2856ae95d4ab556886c12c3f48607c968c9e9b4364e07d4a52e75dc7d9eb7c16bcde2e2250bcedb6e691da9256f8a7287faab962cac5cd2952c295ea12ba5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | bc9eaccb92834aa657c018db83528f96 |
| SHA1 | 68dd4fc506f06e5a5def07d963b660f2af5b600d |
| SHA256 | 4c753d8ef6d03dd4101bb9fd3b89e569b6d1cbea6a4970080ed12014557c474c |
| SHA512 | 5316c86b8f66d56f10aa765a2e33df754d0a87742a4310abd9c93ea9a4e3bc624075f07dcf6fb3aac8b57a4f911f603303bc7df1a251ada06592fa0d104a4e1b |
memory/2316-95-0x000000000080A000-0x000000000081A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | e6e191ea6c57f0ab22152f3aec61e771 |
| SHA1 | d31c67b48d6e4ebe447bd1ae0a00c15a35abbc3d |
| SHA256 | d12b26bdd97c860c729088bab2de6db667c562e023eb2cfb5db536146accff2e |
| SHA512 | 0f493586bbdfd65369a1c918fa2e42e03030415091b64f0df80662ff1f63a1bd9a5b2ce0f5855d3957bd2f95d56888cc597234d91c370c8e34eb091f05eb1baf |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 3d5a035c7e9ff3d5e8e60982fa667810 |
| SHA1 | f87a8286c0046ef256d676ff26ea26162d0194bd |
| SHA256 | f54febd75150d67815ca248c80ad9833e1f3f3e699b49694d1010d018fe5c6cb |
| SHA512 | f43287e118cb0d20c63ba1d4e2eda5cbd9ce221a8f32131c6444088a054a5812d0d7ade930955be8637c6923d83bc24a8890e91f0ff9597716b5758cb974112b |
memory/532-123-0x0000000000410000-0x00000000004D5000-memory.dmp
memory/4672-120-0x0000000000A1E000-0x0000000000A2E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | d35c806c95b926208b06f305860de044 |
| SHA1 | fd111b2072749c0e2b3f1bb7102e4fbcdd8b931b |
| SHA256 | 722325dfc7e0a3d8b9c5bcf978e54f9a90a83ffa5d14372a51dc7c3609fee061 |
| SHA512 | cb5f66f83bd6a8ddad6d740479d17352d3a8249ab6fec7ea0ee071dcc7f9855ed378dee61bb65e92d272e3fb8187282ce08d0694550cfa610bf6e6508ec5b6a6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 7ac590b0f60109c6885297639b399aff |
| SHA1 | 5e3d225b12fe3786f6fcd5b8933361fbaab00448 |
| SHA256 | d29b62f633ee16d0014125eaab6bf7a7b51f2a2e48434f3daf8930d19581909a |
| SHA512 | 35883d148b45a09c8c7e45136b2b4cff44c8f3bec8bdf86659757fdd2e83425c8b80454cbc43fe33507d647abb6328400cfc8750b3525439ad15bea0d18c059c |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9f2a96367a52c87cfc6a9126f452cc2d |
| SHA1 | 6df22db4fb95700b0f121bf2e6d345ff9075079d |
| SHA256 | d19625b085e39f32ee3a9740cc622b0328aa321d83cae210599351d1402a3f47 |
| SHA512 | d72cd533c12a1d435e43d8f2a7a31b1595feaa8069bb39a99e4467751090e57f8f6fe0b262a5a78ea5bf3ff55e35bf3dc1ab653468fef7527bbacf5a505e967d |
memory/528-148-0x00000000008F0000-0x00000000009F0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 6d6bf27d4f8bcf7afce1ade269983408 |
| SHA1 | 3de8af0ea8e84758c0f618d02240b35e867a90ad |
| SHA256 | 45d6dab0457ca8013f56a442a594618e0e8cf5c45b8e58debcc9fc12d47caae8 |
| SHA512 | 919f5aa13479cda4df9964cbbf296942368140993877ca1dec1485484ca9708ab2830552a3c468c8fc5ae1160bc9e8180481211d3453d4d817a5a898eb4bafd2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 855a6c01739b0c34131081b6237d9d8b |
| SHA1 | edd4ffb04c289a036cdebb5cb8c839092d7a6e4c |
| SHA256 | 4bd0bcdcab226b0c7498656543d9017925553735170dc8ce88e628782063806e |
| SHA512 | 4c01ca3b17fdfdad6a245c9d3ff978bba0c96e0c87b64109e33e559e4de9ae321a8864a6a5cd28795a40aabc2b620de2a636a03b5af8a1bb7ef45bf2337fa320 |
memory/1396-171-0x0000000000A60000-0x0000000000B60000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 03a92b8a9d36fbf94fe977bbc3893658 |
| SHA1 | 9d6ec4eee3f47ccc7ae0d1b22238eeb6802c69db |
| SHA256 | 647c32d6db0656b885170580bfd380bd8bc12dd8cc98014d2a3f00d9af38f01e |
| SHA512 | d39d719dfafeecf9cb728b9edd31655c8c5f42e6f28c8857a44e82cc447d9e81f6535ce1a87a29cf5e30a21ed57d14ea76fb123dfd2932fd2c7999d327f55de4 |