Analysis Overview
SHA256
cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20
Threat Level: Known bad
The file cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20 was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
Djvu Ransomware
Vidar
Detect Vidar Stealer
Downloads MZ/PE file
Modifies file permissions
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:58
Reported
2024-01-15 05:03
Platform
win7-20231215-en
Max time kernel
300s
Max time network
169s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\35536c4d-a176-40a0-8026-fcb91feb54e7\\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe"
C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\35536c4d-a176-40a0-8026-fcb91feb54e7" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
"C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe"
C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
"C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe"
C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe
"C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 1440
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe
"C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {C6C3ADA7-8755-4AF3-8ACE-6C635FDFFBB9} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| MX | 187.211.34.211:80 | brusuax.com | tcp |
| AR | 186.13.17.220:80 | habrafa.com | tcp |
| AR | 186.13.17.220:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
Files
memory/2444-0-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2444-2-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/1744-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2444-4-0x0000000001E90000-0x0000000001FAB000-memory.dmp
memory/1744-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2444-7-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/1744-8-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1744-9-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\35536c4d-a176-40a0-8026-fcb91feb54e7\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
| MD5 | 0407f464f5383cc888945bda2afa42c6 |
| SHA1 | 92de3404b2b42c0460565201ceaf2669bd6fc149 |
| SHA256 | cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20 |
| SHA512 | 39aabd70c7065714718c0cb91795b1e690972780e1c118cb0f71f7f481f889f1df36b2e4b17b2e791ac8ef477c69f412a00f51bde9eec9e3c7531498c5586e50 |
memory/1744-28-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2556-30-0x0000000000350000-0x00000000003E2000-memory.dmp
memory/2556-31-0x0000000000350000-0x00000000003E2000-memory.dmp
memory/1712-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1712-37-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 27ec60a3bed94dbab817f3dcf9821b33 |
| SHA1 | d46144afb0108db96b2ce2b2807e8b4fd0781c1d |
| SHA256 | dda4f6a36ec887cae4f6e0a95a40c5d910694a1eb249058f7c631fcb7383a0cb |
| SHA512 | 7b19af41ce333088af01c4d41d9ad955962ae4d1afc9f266a66a783edee786ff1469b5e88642abddf5f73e6ee17e0771e6aabb7c082c365a51d3a6884bcd0db9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | acc3b3a7bf98e84476341e314ad146ec |
| SHA1 | 581092994fe3ced61b0bfc2fd08b5c6d19cf64f3 |
| SHA256 | f608847636ff9084b103f84ece698d7b9e75159000ab09727278c394e79f0f17 |
| SHA512 | e8ac9ccd29bdb85881df9ff5c745a063190293012a703c411ab00bc9598712fbfeba424cbc416e1bb941ddc55b077f4e209015595b5aefdbcdfa1fe80f732b1a |
C:\Users\Admin\AppData\Local\Temp\Cab85A4.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\646C991C2A28825F3CC56E0A1D1E3FA9
| MD5 | cee70d925ec26494b55db142979f9771 |
| SHA1 | 58bb5093be0bb5228921aaf5ce3037b4fa9d3980 |
| SHA256 | 4a10d2fcd6f33ba842e1bf7ab2b5823a907ee994a2ee65d1edc4244d9f8d5952 |
| SHA512 | 3afadfb767b38553b4ab1bd00d7c8c3212f10ac5fc4e4124aa6e435ee6295b6b5f5d23f673ce382b389aea8854ad291278652c5daa2607200fd20d357eec6cb8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\646C991C2A28825F3CC56E0A1D1E3FA9
| MD5 | 2075f9b81f3b89bc359ddd10eb29c1b6 |
| SHA1 | 69733862e65ea3005862a4357e571d9543e33306 |
| SHA256 | 8e7c9a1f4f5b48e680f0ea9151bb5e7e2f4eb66249a49a7e0873f48635c5d1cc |
| SHA512 | d1eaab63b2d8d25d5b354e7bb7c1adc03423dc174216b28862cac61d201b12ffa6f0d1e8801f3ca5873c926d836fc68cb106fccab325f07c3dd4f81e7f05b58e |
memory/1712-50-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1712-51-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
| MD5 | d8f59424e90c3fb666b9c69621b3200c |
| SHA1 | c6970940803091ec0a8521427c16379d8c14f93c |
| SHA256 | 0ca1ea49b54d6fb09d0630e49d46f309b23add4724c39bdd6fdabd6e2521a938 |
| SHA512 | bb3f632fa666319040a3dae1182ad03105f02955fb58a39fa45bbc05efa65db47f5b695f7182c53e94726f0c55cc825c318ccc33f4e06e4b6879b466166d4642 |
C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
| MD5 | 0c13b03f78354853d7fab5ead0aacaf5 |
| SHA1 | de1a826d45d946628defe2fb4469dc826c789623 |
| SHA256 | e7d5595e743ccb09c252fcd303ce114113ad07d7a269e78ba8549e9191f11680 |
| SHA512 | e6450e86928b6c652502a435d683c1e2452d5aa8253f28a8c49e252af88890fc03afbb230bc48050b41840c5685f65003667c32bf01ced67e86ac304b87f0b80 |
C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
| MD5 | e51304578e508331130726d2be7e9d05 |
| SHA1 | 79a17471121b0bc74558341991fcb5bd6ccc9336 |
| SHA256 | 464a39529e7925d347735285e3543bdc47bea6e7baab2109d78ee068e0075cc7 |
| SHA512 | e3d4b30de3f45159031c6e304f2caee1c540b1404910e9d6631b12e92fce0a6f43bdbd26e3b717f4b18946ab7065beabb1dc1e435f48fc5b520cc4b8974d064d |
\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
| MD5 | 6b06728dcd7777de5cff4ae45b28b9df |
| SHA1 | 74eadcd6113b4849d0b4d32bea97011fde24bf0a |
| SHA256 | 84fee44d4b32ec980b01c0f9018c7a2463c6d57e9577738bb4fa10c74df732e0 |
| SHA512 | de9681a646fdd81c4ce2fb0e798c95bca311b004bed1615616001927f9a822419b881ad3fd910ddcd144cfdbcf65a22d8a0c76f6c97b75f23c829559bf699af2 |
memory/1712-70-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1712-71-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
| MD5 | 24c414ade6fb8205b51d115f0069e2a3 |
| SHA1 | c8a2547d574ffc3b0aabffda383f15cf517502cb |
| SHA256 | 10489e3ccbcb177219c60954bd85baa2c8579d0011b8b9ba85413a435a143d8c |
| SHA512 | bdb8b27b0bfccee700331998ed1a721eac5e04d4c78f9ace8830dc32e45abcd447f51479db30a59327c5002be0c1def580d8872b9abff89a6a275ca2821cea5f |
memory/1892-76-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1892-79-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1892-80-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1892-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
| MD5 | d8c02a7cabb050ca8f107d2587fca2d5 |
| SHA1 | be1e55d2e182de6818119c8edd9898710675a810 |
| SHA256 | 7727181ee888cb76bebaa4e2e5ffcdacf625f179204d290c56be36b98e59be1d |
| SHA512 | dd444a870e24f8753c4947070e21f7b5c03110afdd572967f115fe43e41cebe11e314d01608b11712d904e56b6c646e6d88c1ebd913cfaa2cbacb87b5fb90ff3 |
memory/460-72-0x0000000000260000-0x00000000002AB000-memory.dmp
memory/460-69-0x00000000005C0000-0x00000000006C0000-memory.dmp
memory/1712-67-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar9AE9.tmp
| MD5 | feca4b6542bb2aebd3bdd15750663ad4 |
| SHA1 | d6761816ae701718ff76c6c56d0d55c1af9ebc68 |
| SHA256 | 3a0fbefd1a4682ae252bd22406837bc9797a90dba8e8e41b359ea78fef7d9d9e |
| SHA512 | a617d6f210d3194654d74635888c9dee6dd4856f3e98f1cf7d39001e764afe51b4ebd709bd667577406e60918e6e4c923ac7a16945428ba9f1dff9e44cb26731 |
memory/1712-88-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 143afd374220a299e436105607ffc1fd |
| SHA1 | c24ee962c2c182708cfbe07501d6e217002b3b2b |
| SHA256 | 2c4d2fb3aa417b87bfd0db2973231ce3c3bae3f65f548b7e95f1dd1e7f80d0b2 |
| SHA512 | 56d671d4dce74862e1121978d6fd4e8b7b5c9d3323bc65f2ca9ccd28bdd4db6f0a49d8feacd589cc5a368faa9dfec9b9f7572416bffa3f9bcdc00d8d75ef5b32 |
C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe
| MD5 | 25898ed865c579ca2ed4891f0aeb5fe1 |
| SHA1 | a9ec7a581afcfa32a32f76e1ec967d89ca20986b |
| SHA256 | 9da051ad6f9887716b18a3f72583be38466eaa0b91c9900b7a5cafab4497f609 |
| SHA512 | 1d4d8e9a7b8b0b573b764e51de65e42000712af830765ebc33313036fa5828769cf05c234d7a9be8f3cacb13ddaa4804953c9ff0d30d6997b2e30f7690d72420 |
C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1712-189-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe
| MD5 | c4070da9f9b0581171af16e681ccdff8 |
| SHA1 | 3fb4182921fdc3acd7873ebe113ac5522585312a |
| SHA256 | 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0 |
| SHA512 | c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427 |
memory/780-221-0x0000000000332000-0x0000000000343000-memory.dmp
memory/3020-225-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3020-223-0x0000000000400000-0x0000000000406000-memory.dmp
memory/780-222-0x00000000001B0000-0x00000000001B4000-memory.dmp
memory/3020-218-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1892-227-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2320-238-0x0000000000C72000-0x0000000000C82000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 7e9ce13d746bca63a59bb71a9269cb35 |
| SHA1 | 8e714c94724240c5c4cf7576900e053e97d5f231 |
| SHA256 | 6caeae151bcc766b1974f89f78af7e2c4b885d33790f3b4e4780519b8a0ee1a1 |
| SHA512 | 5223fac391d9fb9c349d2d61d5acafa21ff159ffe8a09001238c810df87898b7e93b3da923dac180ae66d87d556fa579509c14c84800b8a136c2bc9783fded22 |
memory/1908-268-0x0000000000930000-0x0000000000A30000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | b059af3512fab9c1c09238bb8109af7d |
| SHA1 | 40bf492b167e4ebf722552a4b353a72434c7627c |
| SHA256 | e5397de9e746e1dfacac4384375644198673a6dcba7555b2637a50d7089f9a41 |
| SHA512 | f85db6d6f541b7597900a6f5ab3e7238a95c7fceb4fb00326fe462192688d1c6617736246c40813636722322d00447b3bcd62a008315adc1527971cb38146d6f |
memory/1908-279-0x0000000000930000-0x0000000000A30000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | b9ebf5ac057c579ba372de8bcfa530cd |
| SHA1 | a77f3daa35cdd4fc4488f79af562a6800d190323 |
| SHA256 | 78b9ca31bfda7243bd574d12d1ff9753d7980d0ce0a8dbe2d2293d9baf7ae17c |
| SHA512 | 94e94fc7b6013eef863d469ae69f2b30814b3731f8106837d7ee9c74e69f7a101a697b98a00040b7ac3b6173ab9687160344e0291c6a9f462b78b7a9618a444e |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 46615ac34b4515c1b4fcda5063d4734e |
| SHA1 | 29d73e883a9ec2a06665b1e57ec783340af3f065 |
| SHA256 | 1e1f96b2bd1b012233e50aad97d36eaab71cb39f67fbabb7f42892e303bf4752 |
| SHA512 | 27fe815f40a968916cdc07d502edeb24d07d88173c8e0576a017808f72de551d8512a0cb9dd932b80430ad525f1cbb1859325fc43b411ea42e0e0d93a08aa67a |
memory/2096-294-0x0000000000980000-0x0000000000A80000-memory.dmp
memory/1996-328-0x00000000009A0000-0x0000000000AA0000-memory.dmp
memory/2364-362-0x0000000000980000-0x0000000000A80000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:58
Reported
2024-01-15 05:03
Platform
win10-20231220-en
Max time kernel
296s
Max time network
295s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0ca184b1-f8d1-4848-a898-ec231c7e2c84\\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe"
C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\0ca184b1-f8d1-4848-a898-ec231c7e2c84" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe
"C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe"
C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe
"C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe"
C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe
"C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 1892
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe
"C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| CO | 186.147.159.149:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 149.159.147.186.in-addr.arpa | udp |
| PA | 190.218.35.224:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | 224.35.218.190.in-addr.arpa | udp |
| PA | 190.218.35.224:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 196.0.202.116.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
Files
memory/308-3-0x0000000002180000-0x000000000229B000-memory.dmp
memory/3272-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3272-4-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3272-2-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3272-6-0x0000000000400000-0x0000000000537000-memory.dmp
memory/308-1-0x00000000006F0000-0x0000000000783000-memory.dmp
C:\Users\Admin\AppData\Local\0ca184b1-f8d1-4848-a898-ec231c7e2c84\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
| MD5 | 05ddd0423edaa09a6cbf5c74009f8320 |
| SHA1 | b0c3d52b01e9648091a76109b285594efa69a88e |
| SHA256 | 77d58941471464e62191521db914250ffbff12dbe0cb59c6d4fb9c35f9d9c4de |
| SHA512 | 0634e756f5e945975b4920aed6bd5e99a4b9b2f077423f0ae960c460c2608672b274b67c19885342f83122c9fd9f2fb6fd77bbffa3fad7cb33a402972fe78a32 |
memory/3272-17-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1152-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1152-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1152-22-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 1e7a741c654eefa9b727007204b618ca |
| SHA1 | 402f6317db245b32f588715e777c5332376f8657 |
| SHA256 | 93fd640a2e477ecce0b855f2e14bafbffe8b99edacc4bf6286f5affb547c9bb5 |
| SHA512 | c77206c96be186be826cd8846b7b5776b0611593c80d76ec3013adcfafb32ce8171aa9c4b6e0ef953c45dee0fafee1caf24d4ba61d58705d0f91eb8e4d3400ec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 540a525ffcb6adde1143935b0b511f8a |
| SHA1 | 340effb7c73f3e55693aca20da3df37f731eef30 |
| SHA256 | d2ecd05737ef0b704c57a8bae19800e0e8371c462b4ca9885b5f5a215b0c6138 |
| SHA512 | 3eb858280f5db3b121482fca7f2ec6cd1d91e96235fdd6ce557befaf233521764a2f0acd393ead6cd7f2e37ad4b988da2fb7e0cd5b167cf657522377280b5dd7 |
memory/4752-20-0x0000000000610000-0x00000000006AF000-memory.dmp
memory/1152-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1152-30-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1152-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1152-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1152-34-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe
| MD5 | 3b68b0988c7c4a357269f04c7740ffdd |
| SHA1 | f2a95436364eb11212124cca5ecbcc67106bee11 |
| SHA256 | 14ebb7750d68b3ef8ce582ea8130c325b419b033a2b1268146407a98862c911f |
| SHA512 | f0e5683366dc1aec6fa12185de707d8c3f713168e192ad20835a441166fb5e3bb316751e3e2009761a63a955f1891d5b8f4a94e2f64ce14d8b5478596ab04f82 |
memory/4812-52-0x0000000000400000-0x000000000065E000-memory.dmp
memory/4812-51-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe
| MD5 | 245d3e63bfa3faaf90f5461a730f0c6d |
| SHA1 | 14f3d81e55216c1311a5adb9926f370dd1fea64a |
| SHA256 | 41a0b4ce4aa044feda4d84a9010f66a1b135a59a9daae510e63191a3d922d429 |
| SHA512 | a585e38181e15f6769c8a09c50f94f85550ad1854dae0bbc69894664a8062ef30832c9a41093a0e1f24521673ab88fda5ad4fc20d1db7b0129edf7b81322cdb2 |
memory/1084-48-0x00000000020C0000-0x000000000210B000-memory.dmp
memory/1084-47-0x0000000000690000-0x0000000000790000-memory.dmp
memory/4812-46-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build2.exe
| MD5 | 387a5267ce9252f07afd1748d49b9303 |
| SHA1 | 2cbf78869ad9664e98a83d6c16e288b9ede47161 |
| SHA256 | cf65da08b8bd5ea5ae0682e7e529b3ceeb0e9594ead2916fdfd15fa352b8a2aa |
| SHA512 | a7328aa660eb231b7ff55e7c0459a114e26ef2f7699298b4e165907c41716d77a0f54ed369666e533fdc57f822271689c964388122ac7b781b91729160c2fb92 |
memory/1152-53-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe
| MD5 | 8b6a819c6926597dfa7529b692d7a6cc |
| SHA1 | 50c535e9cca464afd3a589d2231d87ce417d4312 |
| SHA256 | b9cb5501cc2d257e049e1757062523c7f9ee5a85d57d46538fe492125befd26c |
| SHA512 | dfd28b270d99ad89f8ce1df9750b92ff558f73fe2448bf182b5c1c05c7b180bb29175eeaf5a7c918791d64b36167fc1a6044f1aaff838e02e878782f5f6c0ba9 |
C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe
| MD5 | 91de23a7727e24707ef31505e5406229 |
| SHA1 | 1a0e8b9481e69cc736720ddf888c092364f63526 |
| SHA256 | 3c89aa802e2ea458c588d2c1c7f4c8b5b624d18a374b3f5a84a46550659301bd |
| SHA512 | 87314985d3ee3a5c4f433b8f90153a193246eb4ca457748e03bb8fb77904d7d3aa7d5e77ad77967d76652592261481eef6dd8c64ba3fecbcf173472a5e6bfbfc |
memory/1152-63-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4812-66-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1084-69-0x00000000020C0000-0x000000000210B000-memory.dmp
C:\Users\Admin\AppData\Local\3488ab4c-3de8-45be-a9b7-1406c15fb4d9\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/656-80-0x0000000000400000-0x0000000000406000-memory.dmp
memory/656-78-0x0000000000400000-0x0000000000406000-memory.dmp
memory/4980-77-0x0000000000990000-0x0000000000A90000-memory.dmp
memory/4980-76-0x0000000000940000-0x0000000000944000-memory.dmp
memory/656-73-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 8caccc4fa4b46aea14789b8c8731efd6 |
| SHA1 | b7be0236c27062a16dd4001a08ebf25c6984a8da |
| SHA256 | 43652d84b0d6298f1b35413a2d852478ab98f88b4d2031e3f9037dc3fb647cf7 |
| SHA512 | 5518112caed39e4bb86b14e6a3d7c662a40a4bf2ecfd75690264b35c479528cf550d550fdec090cfc40c01c6e9d04728ea5164764f7c61ed8783d2caa9c7cb1a |
memory/4980-89-0x0000000000990000-0x0000000000A90000-memory.dmp
memory/2244-102-0x0000000000B50000-0x0000000000C50000-memory.dmp
memory/3056-121-0x00000000008A0000-0x00000000009A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | e074f8da75ef09866529487f5d50c59e |
| SHA1 | b01e28313bd9840f7a2ccaf1d0a47c6eea03166b |
| SHA256 | 2c6ec851fbd8a7f585338fecb64511ac2b1ea44e23041685f6a4842a36a2f664 |
| SHA512 | 754431ff1292e444b17e93d323fe59a44aa2f28065fb4496515babe3344a5d6aba6f78b04ac8413294bc3a8c88f32fec9e43b07ac6f2bb03bbc457957b0f073c |
memory/2068-151-0x0000000000960000-0x0000000000A60000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 7471fcc591953f745af5feaf8c146cb3 |
| SHA1 | a638f5a482ccf0360f95a81e203b0033bdef8746 |
| SHA256 | 140c464d8989aeb4dd6eca04a9c2d3b2098a90234afddae55b24e477bf48a83f |
| SHA512 | 5644104a0f9b3b5f38fb38a436eabcdf96c22665f863155f2e280a781e7c95dbecf2d6aa0a5847c4287634473bf57f7bc673ff66bae1d566137429044bf4d2d5 |
memory/4784-178-0x0000000000820000-0x0000000000920000-memory.dmp