Analysis Overview
SHA256
ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc
Threat Level: Known bad
The file ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc was found to be: Known bad.
Malicious Activity Summary
Vidar
Detect Vidar Stealer
Djvu Ransomware
Detected Djvu ransomware
Downloads MZ/PE file
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Modifies system certificate store
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:59
Reported
2024-01-15 05:04
Platform
win7-20231215-en
Max time kernel
300s
Max time network
153s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8d48942f-f643-4d39-aaf0-87b2aeff60d3\\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1676 set thread context of 1968 | N/A | C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe | C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe |
| PID 2592 set thread context of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe | C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe |
| PID 2660 set thread context of 2484 | N/A | C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe | C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe"
C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\8d48942f-f643-4d39-aaf0-87b2aeff60d3" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
"C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe"
C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
"C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 1440
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| CO | 186.147.159.149:80 | brusuax.com | tcp |
| IR | 2.180.10.7:80 | habrafa.com | tcp |
| IR | 2.180.10.7:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
Files
memory/1676-0-0x00000000004C0000-0x0000000000551000-memory.dmp
memory/1968-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1676-1-0x00000000004C0000-0x0000000000551000-memory.dmp
memory/1676-4-0x0000000000700000-0x000000000081B000-memory.dmp
memory/1968-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1968-8-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1676-7-0x00000000004C0000-0x0000000000551000-memory.dmp
memory/1968-9-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\8d48942f-f643-4d39-aaf0-87b2aeff60d3\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
| MD5 | 20a0d15b3694b4cd8dbcf2281ac08591 |
| SHA1 | 47a9f1172ab951a2ed68f1fa0122d632ae2a0f66 |
| SHA256 | ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc |
| SHA512 | 55e990f99031ec607dacb31dce7373111fab676336f98eef7c9a35edb1ea1e69a9e0f00dc79e77b9d7c3158ccf1632634e5884bed89222b3dee96ab4dd6f2d9d |
memory/1968-27-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2592-28-0x0000000000270000-0x0000000000301000-memory.dmp
memory/2620-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2620-35-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2592-30-0x0000000000270000-0x0000000000301000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab28A6.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d17e1129fcf1b1171315281d14be9757 |
| SHA1 | 373c5c39ecbe3132654b7c28640ed12091543ac7 |
| SHA256 | ffc60c52e50d3f520249c2c101afea933c13ea768416022a61c5c1d0df747950 |
| SHA512 | f53f7d52e61f054deeb33940fd5f2732883de4a0619ca62885bb9133489e7c51fe9e338ef76d06899cabb27691c8d5377bbcc9300a24437b1be96dd9bce43e20 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | fb93c6f6c919b24deaed6bbf017008cd |
| SHA1 | f744f76c86f454676c7805af45e7209b061d25c5 |
| SHA256 | c74395f967cfe0ed9f0bad14cdb99188370186f95bdfbeae7fe716f07cec6fd9 |
| SHA512 | 8333e070471a65eb23aa574be1ea4bb947e6ecdf1a14a429ddb53f8612b738446660b37e400958999704d85a4b818a4df7489776996dc2d5411e0bbe60046b6e |
memory/2620-50-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2620-49-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 8448d3aa1248e31218217fc5a32de612 |
| SHA1 | 0c043723f77683b93abf32ce1c44f1d5d1c3f421 |
| SHA256 | 595225b49e46cb3188316c75f0befd0063ddc348d46fd0f1371f4517d12ea3cc |
| SHA512 | e83a971266597a9f49a703b5d4aaa662dc3c0c4a4ba9686ad1266102620bbc5c7d1425b2c7a45e0b470af71ccb2ccf164cf2b4ac501b292ee42749abdfd8e4dd |
memory/2620-57-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2620-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2620-54-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
| MD5 | 0b2c3c144d8ef3d86c29c1ea2c2db875 |
| SHA1 | 82e04b00f56bea4df2a0b116042c4f14d6bd7ccb |
| SHA256 | d4e18facb6cef797b9a22e0dd6eeddadd3b08551866374dcc94ae26e559d33a1 |
| SHA512 | ad99aa3457bb7af7957a541c9a9d751685094a07673fb68c0915b3e7052328e5316be92f6115f7102b54e7891a5a034ef9cf0710abc78d89d7feabc9ce7ddda8 |
C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
| MD5 | d3ea3654914c8852f3a87180d1a2c241 |
| SHA1 | 8fbceb89a466cf0d638349c4ab11049eeea92827 |
| SHA256 | a44378f382dc7d31009893e74486828819f162acf0a56f0abc145ec9d6eb5e93 |
| SHA512 | 758cf04e0f35dea39a89c0975bc8c63cb38572530b24c9f1c98bfd40c620aedb9e5846567efdf6cfd8708112bcf17369417fc61bd60d5280e3f741b58e221a81 |
\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
| MD5 | 4d3ada47a82a737dbd9a9672f8659366 |
| SHA1 | abd8382762eacb4430928cb814bc7f0cac536504 |
| SHA256 | 4914798a45e8808b148480a5345ebd86be9cf696baf372059e52b1074549aaef |
| SHA512 | 713fa4ea0b71068ca34cddf394ce493c12d0073aba11df43ce5ae1d4234e33053f5b95bd5ad5e3d275c8b4a8ca17a83d04298db6ac0968bb85dfa34eea9b50ba |
memory/2484-73-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2484-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
| MD5 | 600baa942b0b4d4e50a6816a766751cd |
| SHA1 | 4e199b21e8aca88bb3e20d685396a3a1c5abdcc7 |
| SHA256 | ed4b2bf512c5254c272e316f620afcdad26075ea48b2c67382eda20c1b2d2e5a |
| SHA512 | bba6f2df515162fa6b44a258f92cf96f6cdafca5d9a7967d5061300b12f9660bc093efc156b436f0c9bb59e2d7f0f0ec66dc74de2676c1e063870034a8531551 |
memory/2660-77-0x00000000002B0000-0x00000000002FB000-memory.dmp
memory/2484-79-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2484-78-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2660-76-0x0000000000510000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
| MD5 | b2808651a83ceefb3f6426029b782791 |
| SHA1 | 68ed8fcdef574d26b038a5b8ac83c5b313d6405f |
| SHA256 | 43fe14f20a4b534f2a9d63701ad88a646b7ebcdb7e465789e8443fec8c7cf325 |
| SHA512 | 733a39ac098d9a28203855c7876090f7d3b466760a93b18245d9fe79de1b6410a4523ab485e702e20af0be0a64680c3ed3157c874c12b3a172d6d69307517519 |
memory/2620-80-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
| MD5 | 39f684a39496bea7e5fe2b862157e633 |
| SHA1 | bceee6c817276bbf6fc13c8c2e5557f9fea6ae86 |
| SHA256 | d563a779176ce0e86af4e240924a8fa45c8b9ee18ccca669a361a515f16a9c02 |
| SHA512 | 3589042f766c35050bbaf5c583bfc2d590e4688482707cccc2f12115bdda17114d49dcb0b61328f27d6934860f3ca29271302260fc5d2c1c4ed712103e3eab8b |
C:\Users\Admin\AppData\Local\Temp\Tar39E6.tmp
| MD5 | 1f87e0b6221312c5aaaccb8121603088 |
| SHA1 | bb362447f7435c9e8d58c3cd5ccfc24c186f838f |
| SHA256 | f1fb4dc3162af1f0ac16c06dfc05deb8f158ec14b6d4d2d948d43ecaa092b19f |
| SHA512 | bb2944efffdda42f16677f5ce69037887a649c7ef3e1826e61a85db4b8cfdd53af91c9f0c6e376ffff14f4293896c1e939463b0e8b2d84d192c3ef9b46efbc0d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 160af5a6533a7b64ea8cc1c1f01db434 |
| SHA1 | 7cc7d309e444ffa706f8626212b98ae8eb7891e1 |
| SHA256 | ff770a582029f8821d0b0ddecbfda32a8946408bd2ca0245000e0d9497f81703 |
| SHA512 | 2d979b6a4477725abeba442d6baf57a8bf4d37417a89fe352d7a7492d02e857ab5035e3c5190cfbea9543b254f5fe3df47d4c8db53f54e531a9483bff46807dd |
\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
| MD5 | 22e09e303bf210c5a1366eed0be0b294 |
| SHA1 | 8579012d28b1c325facb09e50ee0f33400c98d0f |
| SHA256 | ef828c82ba2541737e984e24f16ab37b68810ccd90c836cf18d74e4a90417c7d |
| SHA512 | 9d5aec3a9787b019191e700366aed9ed6d48a01868ec6588a6b64759b84fd96523a48f5a2eff723cdcee0096c40ea0f2f6d9bc2a67aa559f11cf2928317b3570 |
\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
| MD5 | 19328a290f3992a5f63b0bef89218be4 |
| SHA1 | 5b798f9014af5404f66a9c6022e9a488c1cf4fa6 |
| SHA256 | 2d0e2ea31bef90b5c6c83d5256ab4692a91c6342cc98e2b2f1d0a7f22658cecc |
| SHA512 | f02899e8bf27f1265a067b0f9737c4476a6f49331f3be832f63cd396e730eca7c3e30eec39cd293641db5a05b89f8980e5e3eac79bad246e5537c97a3eceb044 |
\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
| MD5 | 1f932ddda236e15e47b0bbdfc3afcc71 |
| SHA1 | 4ae50e69606ad10156dc1c73fcadafcc03373a7e |
| SHA256 | 3217b1922a79d11579e159aa5557f230ba70803bce304f8d227b3b93d32d06fb |
| SHA512 | 2458e6ae673749c516bff2d83da47c9d0f5c4a50a2fe6bfaa0d7c9696fca5d72bdc22a9103d172237b651bb451d01cc5def1781bb80a33257a708ec1a3565ff2 |
\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
| MD5 | 0ee21651770797e46547373020237d66 |
| SHA1 | ad50062605bb70be6b1c54a97bd74b958dfe9c30 |
| SHA256 | 87dfdd019f35d2150e54a4f8381edeef3d1c7ff2c35cbf7becf84e8d073c18c5 |
| SHA512 | 1f35aac8018d00fc9c9acec267c15ebc38e1182622655747a4384204a5f53764984953961ff9f67269f97cf950411d655aff54b82178bba67d04ba545e15e337 |
memory/2484-201-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2620-208-0x0000000000400000-0x0000000000537000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:59
Reported
2024-01-15 05:05
Platform
win10-20231215-en
Max time kernel
299s
Max time network
303s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c30fe274-c02d-44db-a034-09b6b32042e4\\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe"
C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c30fe274-c02d-44db-a034-09b6b32042e4" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe
"C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe"
C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe
"C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 772
C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe
"C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe
"C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| AR | 186.13.17.220:80 | habrafa.com | tcp |
| AR | 186.182.55.44:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | 220.17.13.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.55.182.186.in-addr.arpa | udp |
| AR | 186.13.17.220:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.0.202.116.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
memory/4372-3-0x00000000021F0000-0x000000000230B000-memory.dmp
memory/2848-4-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2848-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2848-6-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2848-2-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4372-1-0x00000000020D0000-0x0000000002168000-memory.dmp
C:\Users\Admin\AppData\Local\c30fe274-c02d-44db-a034-09b6b32042e4\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
| MD5 | 809dc9c06f88c3d380cd0c1855311d9e |
| SHA1 | e31e50c75315d7bebad2f458aa44880c0ac5dec1 |
| SHA256 | e914ba740c350751f14369efba5aa443de686622e689077ac9e65d71b86a9d70 |
| SHA512 | 92ef1a17da678da7bce1c0539c7285ba9b313ee49642b6a017921eb284997a00171f5f1baefcf718492cd73d6570f694fe696c3257166158a3b5c05c3f0b127d |
memory/2848-17-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4360-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4360-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4360-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4480-21-0x0000000000530000-0x00000000005C7000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | e02ee8746d32cbf60121c161f57ce78b |
| SHA1 | e9b09408f286959c4afd76a9999295e7397e3e2a |
| SHA256 | 0aba5c7abde9c89c2149521946c84253c23e39895c21271598c330cfbdbcbc63 |
| SHA512 | 51510fffaf31339ccd6f8470d209cfbb902c07e0ceb76b10852170acdaa4805d4a2627d1132d78402c4a1ffff354a2c9f4679fced86323bc9ec6c0dc8190a88f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | bc441289c02b7763a032a062415e2d0a |
| SHA1 | 333601fdb789412029e0b59d50a5b6a1ae192f7a |
| SHA256 | 3d2de6db8f8e290d25e819046bbfa43bb87adff812e232dfb6e62c8279be1879 |
| SHA512 | 843ebc5f58dc7fecf209633a7c13af2c69e1771431ae7b13897603b0853c9e2185a2b1ae4516dd571d50c28cc3e6bb9c3da03ef19e25803ff69c9a5b6ef352c3 |
memory/4360-30-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4360-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4360-34-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4360-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4360-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4360-38-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe
| MD5 | 85ba587c06ec82f09b3cf644e12b64de |
| SHA1 | b63a09ca72401bd505823df8e0579b605838ea0b |
| SHA256 | 2672abbfcb957d362b31d8738901a4dfb0d98a7e0c5cbe46740dd5954a0d930f |
| SHA512 | 3bef5da14017a142d8574ef1699410a1ac56ae27edcb1dc03464fe3334cd183028d5e7b8135fae55b2040a074df7df3f6c78b0320e26ffb594a5e9b6bedc1f68 |
C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe
| MD5 | 91a99112f06b75248ce528005600a08c |
| SHA1 | 8df0504af54f9dbfad9a983e8bef5ef9f03d0dcc |
| SHA256 | be5a0df20e70cefdf592a5255c1f881e7daa98b8cfc7c851d4a38254150260d0 |
| SHA512 | 02abfcc0f51ec22dcfc6b82121dac4c5ef6e35f441fcf8d6ed642f36332d973293f34391ffbeda93a34e2b4cbf45124cf7ac6c27fe9a719f14d7efd35f8e182c |
memory/3960-53-0x0000000000400000-0x000000000065E000-memory.dmp
memory/3960-54-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build2.exe
| MD5 | 5f93e96277bcd90fcce5d874629be7d0 |
| SHA1 | b463dbdb14ba6e6969fcb0469447687789869cce |
| SHA256 | 9a7d8bbbae7c09987ab35c433432411213b3094ca32d4c4e9d9bf8e2e4a8fbe9 |
| SHA512 | 632dad65caffd039fd8864ca832034887ff91bbc9396c7e2af4599cbf8697f2284682de217616cdcdc8070a41f00209dbb969e4d82c98b170366a40432f8cf65 |
memory/2540-50-0x00000000006C0000-0x000000000070B000-memory.dmp
memory/2540-49-0x0000000000790000-0x0000000000890000-memory.dmp
memory/3960-48-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe
| MD5 | 45251d81e6c0caec040203985cde7b44 |
| SHA1 | 163a40f0392db4fa731d49731d28debe84c7e848 |
| SHA256 | 190e6ea28b58c0ad6e119bff026594692b23a21e170c918f222a4de2eba3bb71 |
| SHA512 | e920b64b8401e363b53adc537263772480845b227375205b0f8ed6ec48ac4ca51acb39af12e7d22626dd9eb83d2c9463f40cdc610fdeac3673665d7223147254 |
C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe
| MD5 | 4282cb787bc1ea23523430ad8967c67c |
| SHA1 | 36a91398a902a63b80ed0a3e6258c49eb6150dbb |
| SHA256 | de528f41e5aa2d028e61e4cee62e694892d252c375348793d6572538bf465cb7 |
| SHA512 | 76c35a3d162708c4b207259c5188c319ec2922474fec191a82298299c6dda5003ecccf274a29826c6e67c136081e767d92811a3f084fd7c3a82e1892a92985e3 |
memory/4360-65-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3960-67-0x0000000000400000-0x000000000065E000-memory.dmp
memory/3044-76-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 899bfc0d52cc0a46893999f4d383140a |
| SHA1 | a3d02de16f221d6ba3c8b21e1baa90c604b39933 |
| SHA256 | 0e22a90d73c50187cc0e4c2106d9c88e72dd371aa934ded01a69c1356a4693e0 |
| SHA512 | 73889078ef07f486618b8cfc26213140c2dfacb3d5b07ac514a4e2732ed880272b026a4af7e7fe0a18fda706d95f217cb4185f60ec2f7fba2068c85f0bcd9d4d |
memory/3044-74-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3944-73-0x0000000000950000-0x0000000000954000-memory.dmp
memory/3944-72-0x0000000000850000-0x0000000000950000-memory.dmp
C:\Users\Admin\AppData\Local\6cb9f7e2-7e5b-4ab7-adb6-5c1e9b4006bf\build3.exe
| MD5 | 8e43e2aa8bf102b656bf0100b841e9e2 |
| SHA1 | 2ca2c1f0289e91610f759d284a2cac037c4b172a |
| SHA256 | 645a972a88bc249e79e40ab8f5a815e8ee0bc8c5393ebbdb9d0df8a3f80f6c3b |
| SHA512 | 55497f1b3aecea1266d2c19688ac5340536f43bec977da8e887937c5693eaec7784596a2e0d1916f95b4161bb460430e9358e7cc594392c2d2a418358fd89138 |
memory/3044-69-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 27ccd42c218818e0b18f27ac8bd0d066 |
| SHA1 | cc0f0679200936893bcdea3bba4081b57fc2fc0e |
| SHA256 | 176159b75273018d491e98633e5ed4233924cdbcc9d22d0dc32e87ec72fa8eea |
| SHA512 | a0f00b894e36eca41bf2f79de1ee7adec9d0591be4902de51046915a66235b3067e27a8974587395f5bfa69ae9e17778c9d4ccd897848030b5983dfc6ee2b92b |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 0af6621a736a6bdad2955a49d0764fc6 |
| SHA1 | 7bc4487d8c19caef8a95fc53d1e3d154b5ed20ad |
| SHA256 | 5b0550bb588155654be23cf82716fa4d94e79466106aeeb818e0509fa849dd66 |
| SHA512 | 317d98f34fbb8ccfe550775a3112d4375a97ae13d84299494ad762e2fa0e4659d9f92baa1f2b171e1a97762b022842d6c3a444444b89d4cf2155c50cdf1c5f69 |
memory/4416-95-0x00000000008B0000-0x00000000009B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | b72509b1eec38b6c493c6814f296eb0d |
| SHA1 | c9988cda365e34712ce1627024336a711c7d9bc2 |
| SHA256 | b0302ae30b1e3c6370ef4b748df79a4109413dbf446b41d5254911b526223781 |
| SHA512 | 7f19dad7bfc4ebd472316124c09df4923a4ecb3a5bc6a8aa50e3bcba50f5c4e0037d2e40908c693d064889a2f7b0808df848e0fb0f976fbffac2fbd328d6750c |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/5044-119-0x0000000000ABE000-0x0000000000ACE000-memory.dmp
memory/4704-122-0x0000000000410000-0x00000000004D5000-memory.dmp
memory/3348-143-0x0000000000840000-0x0000000000940000-memory.dmp
memory/1260-169-0x00000000008C0000-0x00000000009C0000-memory.dmp