Analysis Overview
SHA256
ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2
Threat Level: Known bad
The file ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2 was found to be: Known bad.
Malicious Activity Summary
Vidar
Detected Djvu ransomware
Djvu Ransomware
Detect Vidar Stealer
Downloads MZ/PE file
Executes dropped EXE
Modifies file permissions
Loads dropped DLL
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:55
Reported
2024-01-15 05:00
Platform
win7-20231215-en
Max time kernel
299s
Max time network
156s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0f7413d5-dbf8-480f-8a81-253200801500\\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
"C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe"
C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
"C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\0f7413d5-dbf8-480f-8a81-253200801500" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
"C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
"C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe
"C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe"
C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe
"C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe"
C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe
"C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe"
C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe
"C:\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 1444
C:\Windows\system32\taskeng.exe
taskeng.exe {5B92BC40-6BB0-4D82-B9B3-2DE9574162AC} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| BA | 185.12.79.25:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| PE | 190.187.52.42:80 | habrafa.com | tcp |
| PE | 190.187.52.42:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
Files
memory/2044-0-0x00000000002A0000-0x0000000000332000-memory.dmp
memory/2044-1-0x00000000002A0000-0x0000000000332000-memory.dmp
memory/2044-2-0x0000000001D60000-0x0000000001E7B000-memory.dmp
memory/2920-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2920-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2920-7-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2920-8-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\0f7413d5-dbf8-480f-8a81-253200801500\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
| MD5 | b39217e76b21bf17052cd2abd00aef34 |
| SHA1 | 31cf90601333cc6b46bf0a6b4cdd62cbdabf9067 |
| SHA256 | ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2 |
| SHA512 | bfc5d6b0ca0f841e8900bae346ab0f8e101f1bd5422c56704de70505e90c8f228d2a8ea5eff982a0fb55f4bd315cf71cffae021137a16f7446ad2bbed98e73d8 |
memory/1072-27-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2920-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1072-29-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2792-35-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2792-34-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab61DE.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6d50df247a1329fd16d3cdee814ad86a |
| SHA1 | 52436ad5f62ba32e4245b0981be5441410b1d390 |
| SHA256 | 9a4e395286911c33a19bb6c4c82c147e45f44845186856ad4bf7331d43ecbbdb |
| SHA512 | 69e6808f90c0c2e92d7cabd8a5ec459c6c35e8aaa6ea63a0e6762d213d6edd1c78bf58866cf814f0898a04d963a59c13ece05fca9fea028ba63643360370c8a0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 9d58eaa6e3e7a9e97e94577582ecd65d |
| SHA1 | 3fff92118c1071d2a99be25e35260f9a13a97bb3 |
| SHA256 | 0209941518fd4475caa3e834720805f6df75fa08e4a828f49ca218b56a672169 |
| SHA512 | 060d9c86293d71850352dc6920f36310d8e1023b8e0a550d6c96deebda9f5894724155aad6db6235d675b719f9c4b1b3723ebdb2095fb2e977ffdc72ecf76d2a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 71ad60bb070402bdd701c9c2a5cdcfa5 |
| SHA1 | 68216fbca63af8923a845365f36c181db5ed60b7 |
| SHA256 | 06cbdd3453f54be2dd0e40232fc84a30807d1b9162647cc3ebf608c2a8a7d831 |
| SHA512 | 4e6daa3f65b2a3b55a075741bceb0eb5bf64a6f0a7e1aa3140ed2d8a93443404c7599615780b757c30ad9f480eeae4e05a6e60b761db6c7d3434e871c0b55d11 |
memory/2792-48-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2792-49-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2792-53-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2792-55-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2792-56-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build2.exe
| MD5 | c4070da9f9b0581171af16e681ccdff8 |
| SHA1 | 3fb4182921fdc3acd7873ebe113ac5522585312a |
| SHA256 | 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0 |
| SHA512 | c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427 |
memory/2612-74-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2880-73-0x00000000003B0000-0x00000000003FB000-memory.dmp
memory/2880-71-0x0000000000240000-0x0000000000340000-memory.dmp
memory/2612-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2612-77-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2612-79-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2792-78-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar7917.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
\Users\Admin\AppData\Local\ac306b7d-d4eb-4ddf-b1d1-0fa1225f04f0\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2792-115-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0d137a38fdd6dde5bec62fa5889525f7 |
| SHA1 | bd0029e7dd41f3c938fb93ed18ce511a3b1a64ac |
| SHA256 | c1017f73bea6d1312088cbfab8493e0147470f0f2a1b44ca2ab12eab8a6908e1 |
| SHA512 | b5d79b62abfeb50f086413b40db4659b7d2c25e20fbe9eea58d8be4109d6c92ef10928dbea7005afa9f6275c5331d4a8fa7349d238c0b801e007ac1408f81c4c |
memory/1632-176-0x00000000001B0000-0x00000000001B4000-memory.dmp
memory/1632-174-0x00000000002F0000-0x00000000003F0000-memory.dmp
memory/2144-178-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2144-181-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2144-183-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2144-202-0x0000000000410000-0x0000000000591000-memory.dmp
memory/2612-222-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2612-228-0x0000000000400000-0x000000000065E000-memory.dmp
memory/3016-243-0x0000000000970000-0x0000000000A70000-memory.dmp
memory/540-270-0x0000000000290000-0x0000000000390000-memory.dmp
memory/1560-276-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1548-302-0x0000000000312000-0x0000000000322000-memory.dmp
memory/2424-330-0x00000000008B0000-0x00000000009B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:55
Reported
2024-01-15 05:00
Platform
win10-20231220-en
Max time kernel
21s
Max time network
304s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\81d357ab-cfdc-4212-8f82-4a1b4456f6e4\\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3288 set thread context of 4460 | N/A | C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe | C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe |
| PID 3924 set thread context of 3108 | N/A | C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe | C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
"C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe"
C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
"C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\81d357ab-cfdc-4212-8f82-4a1b4456f6e4" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
"C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
"C:\Users\Admin\AppData\Local\Temp\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build2.exe
"C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build2.exe"
C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build2.exe
"C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build2.exe"
C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build3.exe
"C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1896
C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build3.exe
"C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| CO | 186.147.159.149:80 | brusuax.com | tcp |
| AR | 186.182.55.44:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | 44.55.182.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.159.147.186.in-addr.arpa | udp |
| AR | 186.182.55.44:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.202.0.196:10220 | tcp | |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.0.202.116.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | tcp | |
| DE | 116.202.0.196:10220 | tcp | |
| DE | 116.202.0.196:10220 | tcp | |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.246.116.51.in-addr.arpa | udp |
Files
memory/4460-4-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4460-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4460-6-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4460-3-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3288-2-0x0000000002240000-0x000000000235B000-memory.dmp
memory/3288-1-0x0000000000630000-0x00000000006C4000-memory.dmp
C:\Users\Admin\AppData\Local\81d357ab-cfdc-4212-8f82-4a1b4456f6e4\ad491e18f0871e13524e696647c31d4784b0d1286955aeb4ee54a378042ab3a2.exe
| MD5 | 2dece59d47456dcebc1b2a838d6a0016 |
| SHA1 | fff2c2791c8ea2691eb74707cfc1284df2115a03 |
| SHA256 | 43bbb2eb226c4630f1e31771c9679b3e44ea9303abcf486d616f49610e7b8454 |
| SHA512 | 928ea5089f6bdfc6d2574c6e6d15db0aaac3c6075bd958cb2474e307b2bdedae4e1f413a664eb0bf4562780e5efddca30adad53b23b1e38c4586b6403d95ab5b |
memory/4460-17-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3924-21-0x00000000004D0000-0x000000000056E000-memory.dmp
memory/3108-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3108-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3108-23-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | d3af9b175cc3f8660bfcdd19c712cdad |
| SHA1 | c9ca56f1a94a13c4d1cc3126163af9e6f2f3a076 |
| SHA256 | cb566e8eb2007006130b213b6711338cb43aa1ffa3c8143a0cb9e72f0c938b17 |
| SHA512 | af82db0cc51c5eff897441c166313c6cd8871c843d6e99cedde3d79aa87a27c63145ebf43e519324b78f0b1f4ede2c722c8b11b341cfec35c8572f9e7729ae04 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 8f338ad47439d6349242b9657e571cc5 |
| SHA1 | a0689579db1fef7704ba627c8a590a0f1f9d661c |
| SHA256 | 8725b41a81db65a6f38c4c9282300e3a541123594710d4940b15a90d8e2e11b1 |
| SHA512 | 92e0648109d2c810930c678b58a77990082697c9db6acf5d296e7ef779bba748b1e8893f7ca32b494070570cd0670de9a4524981d1b91076c0857b2c08b3f0f2 |
memory/3108-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3108-30-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3108-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3108-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3108-34-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build2.exe
| MD5 | 2e6c8168f3ec29356a8b18525ff08afc |
| SHA1 | f81bee7e73f78eb6c574ce2255863df6f6b7d688 |
| SHA256 | 9bb525624d28204af1f8813d411c66493fabc5f4bc5c9a0884c0acd9ac4a71de |
| SHA512 | 7e51885fe43bb0e3de31651c726ba32fe1a3787438f7ab92baed6e2f392d5c73d5bc2febf04a4147b9ecb3aff10cb69fb8ecdea64557a366cd9917c9cc0a6b46 |
C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build2.exe
| MD5 | 28b9e1c1b007c047b29aedbbb1ebfff3 |
| SHA1 | 61da7928d700065a97e9f633dd95ee1d4ffbc82c |
| SHA256 | 7d15d1e9286b8c4a1ca5617e175653e683aecefe18caa9825b63ec820a5e467c |
| SHA512 | 4ed25a90b6d7d4e8d40c558ad996446151a1557ee3df90c1c4c9373f7f4904e3f37aa3dc8a721e5cdd64cb70d24ea684d27b342d39f8d7a48d39b135c56fa4b0 |
memory/3260-46-0x0000000000400000-0x000000000065E000-memory.dmp
memory/4512-49-0x00000000005B0000-0x00000000005FB000-memory.dmp
memory/3260-52-0x0000000000400000-0x000000000065E000-memory.dmp
memory/3260-51-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build2.exe
| MD5 | c021b3be5c367bff4ca8b10cf151a15f |
| SHA1 | 583be865b92b60987828fafd78f9f5b5e740922b |
| SHA256 | 3c795d49379653e1b73db741ee512991ce5089c98bf191c874e9d320b804f36e |
| SHA512 | 14a3353acc2d32dbe67cfc012f0cc400a4f4a22a570ebb7c9fa654948df9bf74a4ca19dd807d16526b7115ae0ed288574c199fc454520be20e2f33cdc4dd2846 |
memory/4512-47-0x0000000000710000-0x0000000000810000-memory.dmp
memory/3108-54-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3108-62-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build3.exe
| MD5 | bcef56ee6402e0e79076fcb99f4b67ef |
| SHA1 | 26154ec5a86682c1225da1694cee50cbfd6a4749 |
| SHA256 | 229756c13490504d00dfb1513b2c3b65d821efeeed598fc158bb63a261901ff7 |
| SHA512 | 3e66ca457d9798d0d47efcf32e8eb2cb8fe620cfac97571840be377385e484811f9feef45a5d6386be5cb04009022053d820cf85a6e532d2fc69ce40e6c8dcd2 |
C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build3.exe
| MD5 | 0f83fc771cbbfef7f95cb68ef1d8b7b3 |
| SHA1 | 6f64ca26b670c3286cb109c39c049bffc202eaf3 |
| SHA256 | b4b252a675da42915cde3e95e1b0f65041d01f2c976ef9fe217baca5ccfc8e3f |
| SHA512 | 507b3823329167fb40e76c7c0c4f1469de44f63ee0c7eb6ddf5b3c5275230cf914cad69128e8ebd1efc9e6c30d8be4957de70bec43c75f94ee7b462120dd5618 |
memory/3260-66-0x0000000000400000-0x000000000065E000-memory.dmp
memory/3328-72-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | c7b702dede28ca9a1e8e557c086ba6e7 |
| SHA1 | 388091a793128cbd7514e521804a28e583b3bcbb |
| SHA256 | 76719684366b0d68a57b9002f4d4006b2176a2043e6f77a145dbd2d094036ffb |
| SHA512 | 632fb2192b1a2d21fc82b09e9950006f2b1e1196f4b76b6aed86cdb36a540b9f0777510bda9aa6f4847db1fc64dd7aad549b1298037a92038ebcef75836f871c |
memory/3328-78-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3328-77-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Local\b70c4e1a-8c56-403d-a98a-44b5e9d09e70\build3.exe
| MD5 | da7ba82e40c496e48e12b502087286ba |
| SHA1 | c260140281e75f5d3e57077581ce91c97548738b |
| SHA256 | 657f831f8f69b8adf7b8c9971a08f2f628e5ea84c2c83a2091f4eea1ef87556e |
| SHA512 | bacef7a362e066215a6848b5ae2bdc8954d67a59950f47f30855490558fa0f4258d2c9f2ac5dd448a64230d43f9f90d78fdbc684e25f853e3bcffcbed4f74903 |
memory/3592-74-0x00000000022E0000-0x00000000022E4000-memory.dmp
memory/3592-73-0x0000000000B80000-0x0000000000C80000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | a94e7615f4c24668378a5e97d9b6b8fe |
| SHA1 | b32da33cdf349c677e81c6b3d1b6777610d17568 |
| SHA256 | f7b7ad907f11c46a4566ad2977d4fa32c1520ddd2b3dec237462add55be83839 |
| SHA512 | 90ec35f717769ca98a023ef35cccd773d87556ead9a5b091360d39c315591cd3395b6017bc61220f605dca97704e97cef693318ea9e3e5443517d099fbef56fb |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 283f17ca750ff66f240dfe0de9b768c9 |
| SHA1 | 052ae6113aeb38e6cb6c6133bcecc9d695b7458a |
| SHA256 | ef7eaad3412f9ad12002f61a2916d1a3fc4505ee3fab7b170cde7232a80625ae |
| SHA512 | 25ce28aab4f0dd2806a10c7ef66a404b75ee557a507ec3b27bd76dc5cb1166620c67be2c3a83add54958bc845cf95973be4a70e7d3a11a99008847edbe5ae623 |
memory/4124-98-0x000000000091A000-0x000000000092A000-memory.dmp
memory/2836-101-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | d35c806c95b926208b06f305860de044 |
| SHA1 | fd111b2072749c0e2b3f1bb7102e4fbcdd8b931b |
| SHA256 | 722325dfc7e0a3d8b9c5bcf978e54f9a90a83ffa5d14372a51dc7c3609fee061 |
| SHA512 | cb5f66f83bd6a8ddad6d740479d17352d3a8249ab6fec7ea0ee071dcc7f9855ed378dee61bb65e92d272e3fb8187282ce08d0694550cfa610bf6e6508ec5b6a6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 718368af88a90b1467b5b28748461bde |
| SHA1 | 6057131857069ac4daf41e79af69ee388de86d91 |
| SHA256 | 09262122f3a54a6f4833722a0bb2fd46d70cbca7f0b390458e3efbb1f71dedea |
| SHA512 | c5952de7a6e264d7260bd1959d82ae2b6c8548e8bc91418eee64af9741868c4cef7eda54974cd123a82c72dce9c1b9776458e793037f2d60002a44c40f18040e |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 4dd1984009b5b727ff260df88a694294 |
| SHA1 | 512b062c425cf935f076e33fddc8545da773eea5 |
| SHA256 | b4a4f5008e3d37301e7d70ee2339ce62c61e0fa37047c3e4857e3ecf10a2d67c |
| SHA512 | 6d541949369698d86168685ed6c8997388f18fd7e82213c9ac47643ad79da71b67138407a420dd924d7c3622dc56d89d68b0cc715a2ef76adff9b13cf3c07e93 |
memory/3180-123-0x0000000000830000-0x0000000000930000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 02d15f85aa142d0aa649bf142b370a35 |
| SHA1 | d4981695443ec99304c6ee4676eb14808038a4ff |
| SHA256 | 8f5ab238564845961c6646e8b84e07efddb86ecc611be8d00a776f3bf0a37e14 |
| SHA512 | a10d43113d41d9a7e01d14629be18d91fe0849fca81082c94ba6dcad884c5a69b6897f9ab4a987768f186d6eba092ee7634193c2bc4ce2e1734d4dbee11e9bda |
memory/748-150-0x0000000000A60000-0x0000000000B60000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | a5837628454c64dea0992dfc2cf195ee |
| SHA1 | a4fca069a1f8e71c90479531e5f78ece0fc891b0 |
| SHA256 | c3af6a8344eb098ad1861121454083231d6e53a462eb4c233f4ac7f0575f12e5 |
| SHA512 | 87a5514e5965aa799ee87c3f24077651c2d58f4c31725ff60c296c102a89ddd50ac2fd1bbb73ad62694d89053343a2b13ba46b7b0b02cb9a0e737adce9189115 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4228-175-0x000000000088E000-0x000000000089E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 7dec4e41e8e020c2dfbc0f848e7aacb7 |
| SHA1 | 72857096b202b1096af43c9463488f855479345e |
| SHA256 | 42fe0d1ff80578ac6b4bd0c4f727b9226287d842db1180a25247f717eef3c32d |
| SHA512 | 98ac424d5c31dfc9d193ac8b5fab82351add800f3204b0bebbec3c48f0cdfebf18ec15962f78992af5c9945daa3f101f045790491b3e9b165190e5fd0069a3ce |