Analysis Overview
SHA256
aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293
Threat Level: Known bad
The file aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293 was found to be: Known bad.
Malicious Activity Summary
Detect Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:55
Reported
2024-01-15 05:00
Platform
win7-20231215-en
Max time kernel
300s
Max time network
169s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\47bd7c2f-ee7b-492f-a462-50d917e3781f\\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
"C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe"
C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
"C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\47bd7c2f-ee7b-492f-a462-50d917e3781f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
"C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
"C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe
"C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe"
C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe
"C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe"
C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe
"C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe"
C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe
"C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 1440
C:\Windows\system32\taskeng.exe
taskeng.exe {89AF5E08-029A-464F-87A0-2EE977D661BE} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| PE | 190.187.52.42:80 | habrafa.com | tcp |
| MX | 187.211.34.211:80 | brusuax.com | tcp |
| PE | 190.187.52.42:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
Files
memory/2196-9-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2196-8-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2192-7-0x0000000000310000-0x00000000003A2000-memory.dmp
memory/2196-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2192-3-0x0000000001F20000-0x000000000203B000-memory.dmp
memory/2196-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2192-1-0x0000000000310000-0x00000000003A2000-memory.dmp
memory/2192-0-0x0000000000310000-0x00000000003A2000-memory.dmp
C:\Users\Admin\AppData\Local\47bd7c2f-ee7b-492f-a462-50d917e3781f\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
| MD5 | 95a407562c1f5ff8d8c1de430349eb99 |
| SHA1 | 638407b2f67ac47b69c5fa03b55144563e1c440d |
| SHA256 | aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293 |
| SHA512 | d457d3275a4f0ee66a984b203e9fa5a1403e8f9ecbfd5e9cde11bab1e486fc0cb554cd05c6c892bf9ae59b7aada67eafca6a6deb39dd2051310fe757f28949e5 |
memory/2196-27-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2196-28-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2580-30-0x00000000002E0000-0x0000000000372000-memory.dmp
memory/2580-31-0x00000000002E0000-0x0000000000372000-memory.dmp
memory/1804-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1804-37-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6d7d152fb25ee2df64347110e3013dc0 |
| SHA1 | 23b37f681135ee94b225a7068777fb10de55c2bc |
| SHA256 | ecab10539d28835dc8fe625f89d5e5f195f3fbac2ad20c455a9bd9afbeb52ce2 |
| SHA512 | b2b8ca81bb81af332e0ca1b06100def99a55c2c22c3d9b464c6728ffc66d1aa500e4f1bc2ea20147dc1334bab8d9cefa5cfbfbe647524f6947b2a8c42c9bf7c4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 5352ae64240eb7600915d14885b51f6d |
| SHA1 | 9f86a9fd06c7cab910a9a98ab6664687376a7438 |
| SHA256 | 47e768fcf1623a13df23cdd5247ab62211036d0c5d19952a77f3851f83d84cd7 |
| SHA512 | 6d4c66b74d90e6c562ea996e55827a27ad8ffa6a6cceadb0ae1af237fe39d74d0472cdd0a28afded99e1a7695fff79f704de515809c7000d30eb2a380eeaeab9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | ea007376bc121793f2e73461573265ed |
| SHA1 | 5a4b11700b234824fdd96d588ed7e927ee83d7cd |
| SHA256 | 8bbafd8bc25a858899f87681352e4cfc41a19de628489e3659247ac09445f4ae |
| SHA512 | 534750d75206327358b444a38a27bb62b16cd9d48b817a2fad5371172100cd63480faf0de88b65f3e2a3dc0a97f0e921a2de8d6f16919ec0ddc1dc5a314cb930 |
C:\Users\Admin\AppData\Local\Temp\Cab86CC.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/1804-50-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1804-51-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1804-55-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1804-57-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1804-58-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build2.exe
| MD5 | c4070da9f9b0581171af16e681ccdff8 |
| SHA1 | 3fb4182921fdc3acd7873ebe113ac5522585312a |
| SHA256 | 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0 |
| SHA512 | c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427 |
memory/1748-74-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1536-75-0x00000000005A0000-0x00000000006A0000-memory.dmp
memory/1748-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1536-76-0x0000000000260000-0x00000000002AB000-memory.dmp
memory/1748-79-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1748-80-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1804-81-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\0104da44-6fb6-4f48-bacf-8fe9cd8d70f8\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1804-92-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar9CEC.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 30633d103473b8cd118489ee729f22f1 |
| SHA1 | 49fc2f080762b7f427356231a6254c08a77eba88 |
| SHA256 | f664bbcef779325efa40af522f55ddb70f2b06e7744330d06b37e800e8363b53 |
| SHA512 | 4f3827143aad52c2c25805f1671386cc4e9f4b4787fece422beddf5b468d50c7af6c0f57d9d9a38b302f6992301a52d5783e6fa2f97be6dc6e9d90d5debd0220 |
memory/764-176-0x0000000000870000-0x0000000000970000-memory.dmp
memory/764-178-0x0000000000220000-0x0000000000224000-memory.dmp
memory/2356-179-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2356-182-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2356-184-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1748-228-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2716-239-0x0000000000230000-0x0000000000330000-memory.dmp
memory/1132-272-0x0000000000980000-0x0000000000A80000-memory.dmp
memory/1012-301-0x0000000000990000-0x0000000000A90000-memory.dmp
memory/2556-326-0x0000000000C50000-0x0000000000D50000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:55
Reported
2024-01-15 05:00
Platform
win10-20231220-en
Max time kernel
295s
Max time network
299s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\de28997d-8d73-409f-b4d4-a8479a7737a6\\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
"C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe"
C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
"C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\de28997d-8d73-409f-b4d4-a8479a7737a6" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
"C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
"C:\Users\Admin\AppData\Local\Temp\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe
"C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe"
C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe
"C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1912
C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe
"C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe
"C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| BA | 109.175.29.39:80 | brusuax.com | tcp |
| AR | 186.182.55.44:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | 44.55.182.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.29.175.109.in-addr.arpa | udp |
| AR | 186.182.55.44:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 196.0.202.116.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
Files
memory/308-2-0x0000000002140000-0x00000000021DE000-memory.dmp
memory/32-1-0x0000000000400000-0x0000000000537000-memory.dmp
memory/308-4-0x00000000022D0000-0x00000000023EB000-memory.dmp
memory/32-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/32-6-0x0000000000400000-0x0000000000537000-memory.dmp
memory/32-3-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\de28997d-8d73-409f-b4d4-a8479a7737a6\aa0d51394f696edbe195cb4e279f135f85a5acad6eed5d2cb542c06816cf2293.exe
| MD5 | ba60132ec243d6706685ad319ddddcfb |
| SHA1 | 8072f04eaebb403359596ce41b3639b13fbba59c |
| SHA256 | 67734fa79f54ee897f01ba1d8316a6c58ce2d3846d505203849412b084d705cf |
| SHA512 | 4a92641de472153e582a79fa37977c8c5a11e084b1d51aaa5f7640381e20f5c148ca3cf1b4a7aba039a6030227092d99c8cb3eff2b5ef1eb22b448b129a4846f |
memory/1904-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1904-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1904-22-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 6fe0ccb584239bd0d75208b5043fb272 |
| SHA1 | d9f0e1fd7b35ff3986b4cbe2ad738577863b4788 |
| SHA256 | a7848b992fcec6370e232b62640cb0765768e1b723ed392b3fadde3d34c5ffe0 |
| SHA512 | d99b524ec8bb5d85d1d7f4569debd9a6e3d8baef0d17ccd756b60cca789deead5b76bfc16f4ea1ad0985ce2714f498b5e9d23db9214af262ad1290097b569f05 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
memory/1904-30-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1904-29-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 89ae2a06f6ef4b6df63a1d1a00100d57 |
| SHA1 | 5524d132d54856c6c15dd362143978cd16ca33f8 |
| SHA256 | 934634313744ba70fa34de947719b64ab4d5a55500b593fb5703704a3182b8c0 |
| SHA512 | 343b52dffc04ddd75ec4f42f5bdf8f6129f2a7b45ed6d3cdcc7989236b6cf723c3422cd7efa8729c7c5fc419470b80f9d0882b1d4e434182c7b9183e4168dc3a |
memory/4764-20-0x0000000002040000-0x00000000020E2000-memory.dmp
memory/32-17-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1904-34-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1904-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1904-36-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe
| MD5 | 4470ae6d1fdd15e2ee1ee7cd5e367095 |
| SHA1 | a98ceeba1ad55b6c8a8306178e922e9efd9d4f05 |
| SHA256 | 25e717b8b5f39d20acdd619cf15155f6a0cf5257302f7489276e4c8ec64175f1 |
| SHA512 | c707461376dd24885978bd60ffd936338bbdb85333ae7b2a308994c8039d632506ef0ce01585af9e189e84c68f86c399ae4c809e53897be22aaa34ed951168a5 |
memory/4960-46-0x0000000000400000-0x000000000065E000-memory.dmp
memory/4960-52-0x0000000000400000-0x000000000065E000-memory.dmp
memory/4960-51-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1648-50-0x00000000020A0000-0x00000000020EB000-memory.dmp
memory/1648-49-0x0000000000460000-0x0000000000560000-memory.dmp
C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe
| MD5 | 0db54f634f9a638b2bec2c602e97d52c |
| SHA1 | 30acccf74b2f5acb45daaf3c6f8b5ed1d081d149 |
| SHA256 | 65c7ce17c1511f20321938530cce8d87961d5ca625d4db87c2bd6118ca55dd1e |
| SHA512 | d9d6cd3edf4ab3a3b61b863ea27d3d6c1f9f26a3596bc8bb5a1608ebb68657e1a4dee605775daedfcf98867d19a9686cbf2ad7142faf065f9a3b10ea3a355027 |
C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build2.exe
| MD5 | 7d08821de6b860d813703ac8030bb8a6 |
| SHA1 | dd5d9275bb59f53b0721dbb260fa15839f16d6fa |
| SHA256 | 2b205a8936766885f7f93bcb6c0c0cced7678a22ab79525859f6c515635d26b3 |
| SHA512 | 7b2657105010bdc2ba9a7ea05db5c46e87c45f908f62963f6e6749b402aed14977ca0f2f2b6659fc114a8034af77abb5af93bd4f1b44834f01958a81bec64b8b |
memory/1904-53-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\530bdbf9-aa10-4bae-b502-6a48d095c879\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1904-64-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4960-66-0x0000000000400000-0x000000000065E000-memory.dmp
memory/4924-72-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2352-76-0x0000000000B49000-0x0000000000B5A000-memory.dmp
memory/2352-77-0x0000000000920000-0x0000000000924000-memory.dmp
memory/4924-80-0x0000000000400000-0x0000000000406000-memory.dmp
memory/4924-78-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 96c537da5e32398b156de85720d9838f |
| SHA1 | 89fc76f360c09ee1597af616ff2acd43669f682f |
| SHA256 | 69bdddd91bdd75415d27b04b89a2dfd4d9f58c9527bad9a17d19586d57351b6c |
| SHA512 | 19cd60e1e8641e568aad4c88aa6167e961f64f1890cb5d7d4cf6c3b1a0fbeea053c3b1b48161ac6982d5feb5ca9ef72585a5cff43a099e6e1aac2fb13c7cc246 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | c8a396d2eff0482c757d97a0f3f9a6da |
| SHA1 | 90152104157eb1c381757bb24a8e1455fbc9d216 |
| SHA256 | 0f16a0ab2f4a07f517356787e5046ac2af0c0b021250cf178b1f7e1a7d8d802e |
| SHA512 | 89ca81bef0789b26531cfdaad751500c313ea82db8e0fc5c72526dad9b74f51ddf26d20bc8010066c6f1d1fe515a97da7d1d03b7d69e0e2e16242362f162dae4 |
memory/2464-103-0x0000000000A4A000-0x0000000000A5A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | d252d19a3a2e6e458bce14342a3322a8 |
| SHA1 | 62764d56d888e35816425c80e41a5933633bc548 |
| SHA256 | 3b712598960ee46835d5bd085b7da4e9b235da25d3b299e28b294af6b277c225 |
| SHA512 | c4e1f4a8550bbda3291feb155b05a5428761aef6b9968c60443c007a14bd0137d45e4f68de15a41d2ba85e26e0a449f1297f253ffc31a68af9c0a42acc24bb76 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 28a2a6e9f4adb79261e929ec6f1dc817 |
| SHA1 | e1e7940aae7cbb6f08d8642fd10a7da8764dde72 |
| SHA256 | 920e6db6038bb4d006f7de2ebe05147be968bc4c68b35e8f617d6fab800e9342 |
| SHA512 | 0bb02e2c7b7f57f3de754182eb1e50cc83f7db3f7538397a96c8b900056c7fe9396d951aba6516e9cfb847e205673dc675b33e268c21caed70bb35c211b10322 |
memory/920-125-0x0000000000AD0000-0x0000000000BD0000-memory.dmp
memory/4800-153-0x000000000091E000-0x000000000092E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 13f664830f31122210ed85c795847487 |
| SHA1 | 0b39cc01bbb89261c2b3e0db4dd091fcc99a9ffc |
| SHA256 | 15694ccb0ae6829dcb4ba4225eb46ff766d8c3303d983cfc3554957c7b92177a |
| SHA512 | 1447bebf73b849ef2a97f4f302cdbc8e678eefaae7d2386ec5e96da5548d292dbb9920ffe4f69ff0e2b9f76964011789c717fded901ac10ce9ebc9be8f5c4c3f |
memory/1072-180-0x000000000082E000-0x000000000083E000-memory.dmp