Analysis Overview
SHA256
bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5
Threat Level: Known bad
The file bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5 was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
Vidar
Djvu Ransomware
Detect Vidar Stealer
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Modifies file permissions
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:57
Reported
2024-01-15 05:02
Platform
win7-20231215-en
Max time kernel
296s
Max time network
172s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6a20d32c-f979-4f2b-8978-5b4a96fdff66\\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
"C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe"
C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
"C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\6a20d32c-f979-4f2b-8978-5b4a96fdff66" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
"C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
"C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe
"C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe"
C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe
"C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe"
C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe
"C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe"
C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe
"C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 1448
C:\Windows\system32\taskeng.exe
taskeng.exe {63689AB5-E980-4B44-A099-BE315B20F2FC} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| BA | 185.12.79.25:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| PE | 190.187.52.42:80 | habrafa.com | tcp |
| PE | 190.187.52.42:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
Files
memory/2356-0-0x0000000000300000-0x0000000000392000-memory.dmp
memory/2356-1-0x0000000000300000-0x0000000000392000-memory.dmp
memory/2056-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2356-2-0x0000000000AC0000-0x0000000000BDB000-memory.dmp
memory/2056-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2056-7-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2056-8-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\6a20d32c-f979-4f2b-8978-5b4a96fdff66\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
| MD5 | 14a5973627a876bdbafb029a26084f64 |
| SHA1 | 5514e9a9d8806406ff9921c9be25bd1e314b0b9b |
| SHA256 | bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5 |
| SHA512 | e6cefb5181f6bfef6c17afc961e5d8186115ce01e06160a4c08b88933f314f9e64010c04936e2511af543e49218fc4186bc59239e5d4254b10b3d517ca644808 |
memory/2056-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2592-28-0x0000000000230000-0x00000000002C2000-memory.dmp
memory/2592-29-0x0000000000230000-0x00000000002C2000-memory.dmp
memory/2164-34-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2164-35-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 94d862dfd39b9de03509e9d1ec734b38 |
| SHA1 | 675dbd59918e9bdfc8a218758de83827ca2385a3 |
| SHA256 | d57b2bba21c0e3ea6eea449afb6ed318b4a985b3c374dfdad848f32c42c2d37f |
| SHA512 | f35ff2a180c3ddce20ef15b4c2d03166778bf246a64efa5485bcd624b8404e56f80c0e68407a8e818904ad76f4d0c841ec408610addf8fdc9e3430ea0178fcdb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | ea636d4e6edaddf0d2ef0c6d7ac17680 |
| SHA1 | a2f072d5820023d97799bb616a2c3ff0d69cf23c |
| SHA256 | ab3c4e196441db2c0c0306c8749e2d54f7a1bef2fa896878f047321bd8d0b4e9 |
| SHA512 | 534a022e28aa2af8e037680f362ee537d8022572e70e88aeb912d0d4890fc03458a023e7e39bea9d9eb26809c360e2374a4115bb327ce0e1c2d4c1aec97c39ac |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 842665c705636585a5b1d24fadd85eb8 |
| SHA1 | 61978cfa31861b545179de6f143fe91a67cc50c4 |
| SHA256 | 9cdfa5fbd365d9a08f47a72477abf80e46fc36f9b776640d058eb218a12e15ee |
| SHA512 | 40524f85fd35d709013efe7d30917a0bb320da5e934fe10e14cd0b4aa5c7edc26b913f6aa3df10769e0d2d329cc90c576e290fc7d1b3f5a4e2a467ba6c6b7b54 |
C:\Users\Admin\AppData\Local\Temp\CabCF6F.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/2164-48-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2164-49-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build2.exe
| MD5 | c4070da9f9b0581171af16e681ccdff8 |
| SHA1 | 3fb4182921fdc3acd7873ebe113ac5522585312a |
| SHA256 | 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0 |
| SHA512 | c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427 |
memory/2176-67-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1976-66-0x0000000000230000-0x000000000027B000-memory.dmp
memory/1976-64-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2176-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2176-70-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2176-71-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2164-75-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2164-77-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2164-78-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarE090.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
memory/2164-86-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\8c6f69e9-050f-4a59-b9c6-ccd5a00aa98d\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2164-125-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2176-182-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1760-187-0x0000000000230000-0x0000000000234000-memory.dmp
memory/1760-186-0x0000000000990000-0x0000000000A90000-memory.dmp
memory/1056-189-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1056-192-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1056-194-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2176-247-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2972-252-0x0000000000860000-0x0000000000960000-memory.dmp
memory/540-276-0x00000000002D0000-0x00000000003D0000-memory.dmp
memory/628-283-0x0000000000410000-0x0000000000591000-memory.dmp
memory/1032-305-0x0000000000960000-0x0000000000A60000-memory.dmp
memory/2224-333-0x0000000000960000-0x0000000000A60000-memory.dmp
memory/2220-363-0x0000000000900000-0x0000000000A00000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:57
Reported
2024-01-15 05:02
Platform
win10-20231220-en
Max time kernel
14s
Max time network
293s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\50a55700-73a8-4958-b97e-431298acd57a\\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 216 set thread context of 520 | N/A | C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe | C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe |
| PID 1924 set thread context of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe | C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
"C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe"
C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
"C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\50a55700-73a8-4958-b97e-431298acd57a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
"C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
"C:\Users\Admin\AppData\Local\Temp\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build2.exe
"C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build2.exe"
C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build2.exe
"C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1912
C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build3.exe
"C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build3.exe
"C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build3.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| BA | 109.175.29.39:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 39.29.175.109.in-addr.arpa | udp |
| PE | 190.187.52.42:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | 42.52.187.190.in-addr.arpa | udp |
| PE | 190.187.52.42:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.202.0.196:10220 | tcp | |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.0.202.116.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | tcp | |
| DE | 116.202.0.196:10220 | tcp | |
| DE | 116.202.0.196:10220 | tcp | |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.239.69.13.in-addr.arpa | udp |
Files
memory/216-3-0x0000000002680000-0x000000000279B000-memory.dmp
memory/520-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/520-6-0x0000000000400000-0x0000000000537000-memory.dmp
memory/520-4-0x0000000000400000-0x0000000000537000-memory.dmp
memory/520-2-0x0000000000400000-0x0000000000537000-memory.dmp
memory/216-1-0x0000000002510000-0x00000000025AF000-memory.dmp
memory/520-17-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\50a55700-73a8-4958-b97e-431298acd57a\bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5.exe
| MD5 | 94f84927d4e355c5b599a2a972635903 |
| SHA1 | 4943750c862ed4d6dd2ab799ec4662684b6adea4 |
| SHA256 | 7ceb08abf45d7784d9bd9915d212381af9b0ead357c4f96382b63335497f1dfc |
| SHA512 | e91709be7222cb053609189407c0e328b3056630d08ad9cd08f3e8dc87dcbb649506bc32f0315a0895a4d686164ab832eb199614ec620672fd5ad54adc735cbb |
memory/1900-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1900-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1924-22-0x0000000002420000-0x00000000024BC000-memory.dmp
memory/1900-21-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | bfe924ae20700a8dba37bdd0677ea45c |
| SHA1 | 0fa2d210bdb511100054c5315c12c2f43cf334f1 |
| SHA256 | 074688d41f4e9fb7f2c480f6fc2b9cea49a739c9870b0494902983bbc653f358 |
| SHA512 | a6b02c4ca493e068c3c2874fce05effc0d648503c08648cf742d22649d9a623259bb119affa757395ed10257fcca19ba3ffa3a5b94dd8d809c33562bceaf730d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b53c8c6885abed41527cb077397f49c8 |
| SHA1 | 6632c25865d784c107038f7963d720c92640a767 |
| SHA256 | 1883c062dbf55ca4b52b71622efb8127acd9d56a2b5db1c7888ed5737f2345f8 |
| SHA512 | 035232100350f76b2f9241037248ab6696e45fbbbb18856ca04b8282129ec492ab345b419247d9e65c0d96528b0d92ba91d60f658fcc8921c44cf1b8c4473c2f |
memory/1900-30-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1900-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1900-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1900-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1900-34-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build2.exe
| MD5 | c0161fb5fa5b00daf54656649c61a548 |
| SHA1 | c368e2e929423fcb406bded2ba2a01aaa0485b30 |
| SHA256 | dc8118a7ae2a604d138651c4abb65c908bfd8878ad554bf57aa14d3539547674 |
| SHA512 | 1cc3235012514a6f6a5646e0a9d07b1bcb2dc123ec7b6a2e8e406799c14380bb3126b5f3589c78ad2b2ef1e6d5774c721b5d4b491764577587efaf8491bbacf5 |
memory/1428-47-0x00000000005F0000-0x000000000063B000-memory.dmp
memory/64-51-0x0000000000400000-0x000000000065E000-memory.dmp
memory/64-52-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build2.exe
| MD5 | dd347e4a9eed3f1a684c19b9b0dfe98d |
| SHA1 | eb1385312bf570229e612e0d905b51743ba7442e |
| SHA256 | 62b9e22ca2ca9c4ee7e9dcdea5bd25209ff189c16a3673e6e0d11a431b820028 |
| SHA512 | a99b59f754bda2ea3bfcc639210aa73f169325be03524305ede04f3c1fa8a140e9405546e86d633992f50df5c2f9a8bce6ed589ed7c415e99652c5f25df29ddc |
memory/64-48-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1428-46-0x0000000000690000-0x0000000000790000-memory.dmp
C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build2.exe
| MD5 | 566f8ba884fedc599037867b5fed567e |
| SHA1 | 59927264e8d4316a6133727381aa8de1afe618ce |
| SHA256 | 482fd2f6a2f0d7126e1cbd51c139891f3b9fd1bad52a10e6cc7e58327b3de4d6 |
| SHA512 | beca9510603ea1804d9211d79e3d7139f50b7db4927bd13b6debfb4b78345b383c0efe38ab49dcd31484fd8f9c4427d24d987d8d7685e92f2247b67e80a2df43 |
memory/1900-53-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build3.exe
| MD5 | b9ff3f154c8d97ad58641b02d7e1c750 |
| SHA1 | 6f5a0ae803618bc9dc5b052db093b5376a166435 |
| SHA256 | 28c1869ee2522018be4e6f32f81deb8312b25196724bc8548ccbaefaf139ef9a |
| SHA512 | 4397ef4e178423ab55409f7aa668c9d63d5e10432457aa4ace1dc90a09313be3bbac55b6c888667a1242dd918b0fb53b2ccc3edbf6b873cc945ffd254ee9747b |
memory/1900-63-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build3.exe
| MD5 | 7655a8ab6ad65f8b0c06e7d6ef573694 |
| SHA1 | 9c8b88729fe4cda48a7801839f6dc008ead4e50e |
| SHA256 | 1a5f238fbb82d782f9022af75c69d02d0a6b02a20e96c45b417d19380b56fcb9 |
| SHA512 | fc12524fb4ea6e241e6b902f9f8387336a8c8c27f8fff10493fe0bc1ecbb86ecc21b646319fc423e9a4a578b167b2a5d9cf7b21c1c821a3d7b2e16789c536809 |
memory/64-66-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1924-67-0x0000000002420000-0x00000000024BC000-memory.dmp
C:\Users\Admin\AppData\Local\a112e782-9e7b-46ed-aaa1-2cbaa287fef2\build3.exe
| MD5 | 13bef8579f96b08d065dc71343b9332c |
| SHA1 | 8cc44aee8fe03a996fb4ec171be00a70775912d0 |
| SHA256 | 33087e53fd814c39a30e5b9d55e158a75191f45bf7883c0e25bbd5cc9f6c9af3 |
| SHA512 | 988d63570f84242966a2c7f0fb7bc71d43201fe4f5308fc8ed2e5be2363a5b6dfe233447b4ce537f640aabc3293224e462461dc6f69b859c0ce1455c2aaf0fdb |
memory/384-73-0x0000000000400000-0x0000000000406000-memory.dmp
memory/5052-77-0x00000000008E0000-0x00000000008E4000-memory.dmp
memory/384-81-0x0000000000410000-0x00000000004D5000-memory.dmp
memory/384-80-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 3bb3d56a18eec9b79c287cf1e1b41f1c |
| SHA1 | d37dcf4f1349e3f8ab13b1d859b0533066fbffe9 |
| SHA256 | 574b4e621aea47f875c1edb98fbfc71d4d302bb568137fbb12a304df0b782c9f |
| SHA512 | a07dede517a571da1f1925cd9ae63fa38b5e5c0dd20458b47198ecf3d1bd862c74a5eef17e3a5192819a796faf7a8b84b59a60837ccbc51dd748b453d8fe2d8c |
memory/384-78-0x0000000000400000-0x0000000000406000-memory.dmp
memory/5052-76-0x0000000000B80000-0x0000000000C80000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 5c2b090f6e218209c9c7f4fa935265d5 |
| SHA1 | 4a8d96c4f25b9912306d3ef178f9b62ca6018286 |
| SHA256 | 3264a8f122706de1bfb1001716d7fc3388f1f083832d25aa5c8fc6ca83d3eada |
| SHA512 | 1dbd88ce19403aeb8dc0973e2bf08627d49e7dec715cea196135366e1c3979add3c9545b975149cf25d99b89606d81f5d26e0f23368202ac431eb7fc35e86e82 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 5169d2a060a54d0bbbd3027fc19a4417 |
| SHA1 | 2342990e51952aabf570794ababcf643507e4f4d |
| SHA256 | 7167395afd26254c61eb9fe58564f01409b402108ffb17564508064e09cc29ff |
| SHA512 | c70d02ce8b59807e1da70d95deec3af679ed05f4a7171771bb1fb767a1812ebcbdf2afd2ce72c7f685f33248ea7f1b55f5cbcccdd4743685df2a97edf88f6489 |
memory/5052-89-0x00000000008E0000-0x00000000008E4000-memory.dmp
memory/1592-99-0x0000000000B20000-0x0000000000C20000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 4b3fc3105731c7ff3a7e3966416912a2 |
| SHA1 | 0e792bf25e8795158074fa6bd2ee87ad16675124 |
| SHA256 | c0f698bcc4324958848de5d8e1b1bdaed5e01632d8c827a5a95356eb04a2c443 |
| SHA512 | 6ed5ee0139d9d9a676232a6c5d6e9a8528f880025a11fccf8a1a32a999ae5fac41f993c384fabec788e4e47da714d67f1def0348da6b0f4392e7fc7ff1098c28 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | ffa1fceb3d7fafa3757d48a64fa93f5f |
| SHA1 | 3d85f27c84ba62fc3c6195bb7762a177daa0e6e3 |
| SHA256 | 53b469ba0d446e1ccb9aa596b5a98935cd22d0c37b5d8e9ea39c1bbe948fe2ae |
| SHA512 | c447d7db3d70f3acb7a99d57d355466f29d55b23412737fdbd1020b5ba9512fd4c7f3b8d3a783ec1c38cc4e5153a47e46728355fde81e3a2360a3a3d03dcc9ba |
memory/4172-124-0x0000000000B70000-0x0000000000C70000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | e240a6468baf4a67a503853cbed40581 |
| SHA1 | 80a64abc42c63b3c9657eb37a4202759423ec2b7 |
| SHA256 | a4c0bf4b878ee9797b65b0eba70d9c901a23929565dd8cda0c3b5d658f19a891 |
| SHA512 | f1a0a711babcd43c724dc684a10e50f9d3c6358e9b05341fab11487daa6828cac46eb40a781c199ee660254734f8ab24ba3f737368d3cb450aa69ade836a174f |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 74ae9689cb04bde426e036319feeb49b |
| SHA1 | b932fd3571f6113cacf1e5eb2b3453a05887963c |
| SHA256 | b59f5c8dc70d0092f4257c3e13745f67e6324edeee709eff32336d3c93bca180 |
| SHA512 | 642d69ab7ef11418b9d97cfa8882ba38ba5c08fcec428a8a758b9de8ee1d576b4d1fe1a2ca93dc4f1f5e6a8eba8c21f7309975c0c43033350d51e5efe7fcafca |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3472-150-0x0000000000930000-0x0000000000A30000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 95b079f9b83988b2253843dede4b3b19 |
| SHA1 | 13104dd654365715d64cf2ca083c5fa4c6458f3e |
| SHA256 | df0e29c690158bf6943ef9fac22b10be7a3b590eaee291ea4fcc67d59c8501ca |
| SHA512 | 587ba3171d80122efc86b418582e922a61131ee55d015feb58661e560f9bb24fa7ef6eba5053f88aaddaeb21c05e15e420774db430b9850fa55b743acdb7afb0 |
memory/4292-177-0x0000000000980000-0x0000000000A80000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | e36cf7b8863ed683e3bb596d28d9582a |
| SHA1 | 769283b659f5581b8d8cd5c1ddcf80bdfdede5fb |
| SHA256 | 36d0ed0156e857587423d0b364dd7aa6ffc33db524466c02a3dc30242aad4c0d |
| SHA512 | 6e759fc12a3c75c33aaee2eccb6bf58cd5e7084e208b1eb5d5000c41df43dc6581e4e2638073cd41604c69a445de9aaa3f66b4e6dd8856ed05b673b09e339373 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 8b6a819c6926597dfa7529b692d7a6cc |
| SHA1 | 50c535e9cca464afd3a589d2231d87ce417d4312 |
| SHA256 | b9cb5501cc2d257e049e1757062523c7f9ee5a85d57d46538fe492125befd26c |
| SHA512 | dfd28b270d99ad89f8ce1df9750b92ff558f73fe2448bf182b5c1c05c7b180bb29175eeaf5a7c918791d64b36167fc1a6044f1aaff838e02e878782f5f6c0ba9 |