djvu | e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2 | Triage

Resubmissions

31/12/2023, 22:42

231231-2m6ykafdhm 10

31/12/2023, 22:35

231231-2hqqsafdap 10

Analysis

max time kernel
3s
max time network
133s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
31/12/2023, 22:42

Sharing

Report Analysis Logs

General

Target

e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe
Size

690KB
MD5

36172786193e5f7a14f53d687ff81193
SHA1

c000948357737a3efa4d141e4bb7439aed41abb5
SHA256

e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2
SHA512

e9fc808b1b48aab02aad0574bbb71b8d4815a19a0c03009e9c5e2bcedfc6320ffaa8aa040fc1562aa8be5ac2d19d9a5c44b8344147af0236ad2ce54bc5e2c12e
SSDEEP

12288:PQ4Hnb0GvoG5VfM93lbDOKOoRjDgptHZQ8er2wieqcgqAwXEppmubS:o6nIGvoMVwOKjtgpt6BVJAwEpI

Score

10^/10

djvu vidar discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

C2

http://zexeq.com/test1/get.php

Attributes

extension
.cdqw
offline_id
mMsRxMUuXypapZbGOAfxD9pczHmW8zVRP7Pgjwt1
payload_url
http://brusuax.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-99MNqXMrdS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0840ASdw

rsa_pubkey.plain

Signatures

Detect Vidar Stealer 5 IoCs

resource	yara_rule
behavioral4/memory/3160-56-0x0000000000400000-0x000000000063D000-memory.dmp	family_vidar_v6
behavioral4/memory/1452-55-0x0000000002570000-0x000000000259A000-memory.dmp	family_vidar_v6
behavioral4/memory/3160-53-0x0000000000400000-0x000000000063D000-memory.dmp	family_vidar_v6
behavioral4/memory/3160-49-0x0000000000400000-0x000000000063D000-memory.dmp	family_vidar_v6
behavioral4/memory/3160-74-0x0000000000400000-0x000000000063D000-memory.dmp	family_vidar_v6

Detected Djvu ransomware 18 IoCs

resource	yara_rule
behavioral4/memory/5048-2-0x00000000027D0000-0x00000000028EB000-memory.dmp	family_djvu
behavioral4/memory/3748-3-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral4/memory/3748-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral4/memory/3748-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral4/memory/3748-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral4/memory/4040-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral4/memory/4040-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral4/memory/4040-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral4/memory/4040-30-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral4/memory/4040-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral4/memory/3748-17-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral4/memory/4040-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral4/memory/4040-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral4/memory/4040-34-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral4/memory/4040-51-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral4/memory/4040-59-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral4/memory/4040-71-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral4/memory/3548-97-0x0000000000BB0000-0x0000000000CB0000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Modifies file permissions 1 TTPs 1 IoCs

File and Directory Permissions Modification

pid	Process
4836	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\345a8939-f8c0-4d8d-94e5-2f9210134184\\e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe\" --AutoStart"	e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.2ip.ua
2	api.2ip.ua
6	api.2ip.ua

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5048 set thread context of 3748	5048	e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe	20

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2800	3160	WerFault.exe	88

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
2396	schtasks.exe
3308	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3748	e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe
3748	e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 3748	5048	e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe	20
PID 5048 wrote to memory of 3748	5048	e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe	20
PID 5048 wrote to memory of 3748	5048	e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe	20
PID 5048 wrote to memory of 3748	5048	e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe	20
PID 5048 wrote to memory of 3748	5048	e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe	20
PID 5048 wrote to memory of 3748	5048	e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe	20
PID 5048 wrote to memory of 3748	5048	e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe	20
PID 5048 wrote to memory of 3748	5048	e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe	20
PID 5048 wrote to memory of 3748	5048	e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe	20
PID 5048 wrote to memory of 3748	5048	e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe	20
PID 3748 wrote to memory of 4836	3748	e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe	82
PID 3748 wrote to memory of 4836	3748	e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe	82
PID 3748 wrote to memory of 4836	3748	e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe	82

C:\Users\Admin\AppData\Local\Temp\e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe
"C:\Users\Admin\AppData\Local\Temp\e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe
  "C:\Users\Admin\AppData\Local\Temp\e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\345a8939-f8c0-4d8d-94e5-2f9210134184" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:4836
- - C:\Users\Admin\AppData\Local\Temp\e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe
    "C:\Users\Admin\AppData\Local\Temp\e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:2832

C:\Users\Admin\AppData\Local\Temp\e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe
"C:\Users\Admin\AppData\Local\Temp\e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe" --Admin IsNotAutoStart IsNotTask
1⤵
PID:4040
- C:\Users\Admin\AppData\Local\400753bc-02a8-438a-930d-d3b63b68d08d\build2.exe
  "C:\Users\Admin\AppData\Local\400753bc-02a8-438a-930d-d3b63b68d08d\build2.exe"
  2⤵
  PID:1452
- - C:\Users\Admin\AppData\Local\400753bc-02a8-438a-930d-d3b63b68d08d\build2.exe
    "C:\Users\Admin\AppData\Local\400753bc-02a8-438a-930d-d3b63b68d08d\build2.exe"
    3⤵
    PID:3160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 2112
      4⤵
      Program crash
      PID:2800
- C:\Users\Admin\AppData\Local\400753bc-02a8-438a-930d-d3b63b68d08d\build3.exe
  "C:\Users\Admin\AppData\Local\400753bc-02a8-438a-930d-d3b63b68d08d\build3.exe"
  2⤵
  PID:1732
- - C:\Users\Admin\AppData\Local\400753bc-02a8-438a-930d-d3b63b68d08d\build3.exe
    "C:\Users\Admin\AppData\Local\400753bc-02a8-438a-930d-d3b63b68d08d\build3.exe"
    3⤵
    PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3160 -ip 3160
1⤵
PID:1712

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:2396

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:3548
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:1476

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:3308

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:4492
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
6cbd0d529a079e1d1ebc079bfaf56ece

SHA1
6ba9a0a207022d3f1546fe5a7828ea213a0f3f74

SHA256
bc2ffb49d213a2717a83c6693812fbb2d182823bf6a5db9c1c8d0c684260c501

SHA512
0e6c899f8c827ad980ae4dbf4a0c7a2f8952319a9580d5a1401ed5e79621b031fd8e673b3401e00da3eb5d055d6b3117628852ea1e1fd36b67355507080f5740

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
a5b93bc129eff9d775723cdae150583e

SHA1
e838a14b8790df5108d7f645e764e19243cb7258

SHA256
770df32b5d05a224e838102d1ce2597f034a12f6184cfa1ac6c3ce345eb5ae95

SHA512
967a0ded8cbda62e5ce187c24a6a12fa1401e695028dc77789fb166332b3d7fde44dc39aac6a25477582467e0d05ced4ace66ea1ffbedcaf5c3b6a4b40cb9905

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
092cf3cafcb15daec61e2d67650439f5

SHA1
d0056cf48a4f93f0138871bd6a2a4d4242a0359a

SHA256
d9e1e85ed823706875b3558b7f44d188410ae0aec826bb838ea304307757b3cc

SHA512
7777005b9689f9364e708b7e3fe929d7b1993a1fae98300bf0c98a9aff8429d864241dbafff2b34b91a327c79be7e99c01243be2389479ec696c420b8c9d6a8e

Download Submit
C:\Users\Admin\AppData\Local\345a8939-f8c0-4d8d-94e5-2f9210134184\e563dee44c2d5803f03a22ba355734ca5729e6ea8a1a15ee0d1212280150ada2.exe

Filesize
137KB

MD5
769a6ce685466087cc98bde5959e71a7

SHA1
6d1d1c9dde74caa8ff1ab6d4933f2b4432ed6e94

SHA256
4b5a85e1146a7dedfd5e817628361dfac48bc61b868dccd9ccb2724b0aba35db

SHA512
5ddbd8646ef102dbbc01ffc18e16ebaacb3f26b2c0ef402085108f6934fbd624eb1779f86427a12f68bb395bc14f428a91341a2127c82bdd18c8d184b00e80c6

Download Submit
C:\Users\Admin\AppData\Local\400753bc-02a8-438a-930d-d3b63b68d08d\build2.exe

Filesize
1KB

MD5
0a253894f954cb763ebb66c5d1111c0a

SHA1
2b03cee02974519b7689fd2e9f853ec7ceba31eb

SHA256
9295b5a69cb309825ad7d39d04374939ec47aaef6eed9a929acd6b888bc824be

SHA512
463ac64216369400247fd88a299f38c75400836734de228c1930bd8fa1680a679fdb32052af2994605a19f05313ac8350091e75f01fddc228d96a726a0401641

Download Submit
C:\Users\Admin\AppData\Local\400753bc-02a8-438a-930d-d3b63b68d08d\build2.exe

Filesize
247KB

MD5
1f7efac73d987dae200e36922267d8c6

SHA1
a1bb90007d2e00025953c13ca742d767ebcce27e

SHA256
5719504e2f4e976c8ce6fbfda399b80273e783ff05f61dfd1f1bd4737f0bde8a

SHA512
75ef83a7e079e553a98e60dd73a9eebbaa793ced7bbd8a712a8f7f363349456d12b3766481d03d00f376cf31c4697afd934eb9b29a2e70727a70a9f463d03bed

Download Submit
C:\Users\Admin\AppData\Local\400753bc-02a8-438a-930d-d3b63b68d08d\build3.exe

Filesize
145KB

MD5
b18c1b024f73d619cb253c0397cbf756

SHA1
8f7e2226930028fb935ae992f0b60725836eb85d

SHA256
1a208d59a097441cff5766fbfc0ff25466fb825103f07683639d1b20b61f8434

SHA512
fab11ff44bd2c34cc8a4c2b4d5e30365bc2a99aff6d0ed0560a55a1e515d1119f70e3758d66ffbb134305e85cd5292cf8c451ece0843ba21c10023235eaa34cc

Download Submit
C:\Users\Admin\AppData\Local\400753bc-02a8-438a-930d-d3b63b68d08d\build3.exe

Filesize
49KB

MD5
a5174100bf3e133125e0ede33685da24

SHA1
9ef68afe32881fb77f9a69e54825cd1bf5e09897

SHA256
858f248f0ab18547b1a5b5fc45253b506439fdb74da7e83ab7b885d9f7bd4e5a

SHA512
2939245c1e12d2e30df78b4aaf1d980dfd8b98afc88cfa1a4d31c04230606a210375a78f4aef1af53f0581a30d5d1212bb25b4e529ab5727a7122764f70f4c3d

Download Submit
C:\Users\Admin\AppData\Local\400753bc-02a8-438a-930d-d3b63b68d08d\build3.exe

Filesize
91KB

MD5
9ebf04607fdf5c32dcbdfc984daca954

SHA1
9441c79faac2af6e27b46eab2cd7a00ce792248c

SHA256
de687966965132f3fa3f5b4504b365f1af8ba24d495a6b3738b07ecdbf60a31b

SHA512
6b8fa458fbfba77d16cfe76f63462f885b6c595e9d4e8b2a4a31e7ad32cd1394f61388cdff8783371c6840f6b45e2a84d6c1495c345384b58b404d9575968218

Download Submit
C:\Users\Admin\AppData\Local\400753bc-02a8-438a-930d-d3b63b68d08d\build3.exe

Filesize
98KB

MD5
9f041113e9fce74cad0c5e7be8ae5db8

SHA1
44430ed8e1081157c25b27f1d773acc26dc58eaf

SHA256
ac179e891083f333d6b3aaa07eda7ec0e3ff93591c42e341c07eaa0094e7022d

SHA512
3694da0191a6cae2e911a3ad45f170cd491b3ddcace8d59f32ccf8988f38cabd1a2edf47bf3e315f7e7217209dced6f2f057890c9812838cb6891f20cf8b063a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
92KB

MD5
4b3fc3105731c7ff3a7e3966416912a2

SHA1
0e792bf25e8795158074fa6bd2ee87ad16675124

SHA256
c0f698bcc4324958848de5d8e1b1bdaed5e01632d8c827a5a95356eb04a2c443

SHA512
6ed5ee0139d9d9a676232a6c5d6e9a8528f880025a11fccf8a1a32a999ae5fac41f993c384fabec788e4e47da714d67f1def0348da6b0f4392e7fc7ff1098c28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
51KB

MD5
82904051183ebfd929b0c5540623ccd4

SHA1
1005e0cf1d5b71180499fc42b1b1bd9ece72dfd4

SHA256
0d91e49ae773058d3e3d4f4086512991dc919eadc7872e2d5d3b7c0334761176

SHA512
ae7ada7d0c502af090fd8748924fc00a68caa3f2f675d2aba0aa16137b134b11b5e4722a8d91eed27af6f075ee09b9f1cf5d1e8adc7eddb197c82e18515e3ff7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
145KB

MD5
7430ef5a192578c6b4d2e7ae85f9de70

SHA1
07ff5f7733723a9e26094eb13b81de7b7df45361

SHA256
84f09714ca19243bee6b2ee96baf939338bc6020259334d087917dc05be2b995

SHA512
1616cb024d36f5871f16a748af9caefd0b2f37964bf1d2f0c059bee85c1cfd529fe1369561eba4b9e94a3a9f8a000a7fbbcf202b5491eca2fd7171ec2ec36653

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
122KB

MD5
b3806b06c33435a914c2f2cf03bd7bb8

SHA1
2f9c59b418c39eba15d0c45144c187ae8aadcb07

SHA256
c3edb4090e8d26eb94e1a35eb8984ff182ccbcb373134109e9106ed452a2748c

SHA512
c9574cea845ebc6c8eb4967f6546cfb9551bdd91f5d215888e1aeefb8b8a32855a75b8ce083eed82a8b467f8463d26e37f735aad8653b2d7e42469a46ba1c5da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
44KB

MD5
bf4b6353968bb89b964eee7b06fc9f75

SHA1
8f3a6f934e456a5016e743e65879b687dffd3e7d

SHA256
2464a871c9f5b49ea0e29e3a8195b5b7f4e5b06c2ecece1da3e84168b4c46973

SHA512
48a80ebb5e35e2c5c65a3bd9b7254070585a628d140f2a19aaea0126507145e2385bc70a5ae91a4d4667d8da17e3fe187db6c747b0686e6a4fcaadb9640336eb

Download Submit
memory/852-85-0x0000000000410000-0x0000000000413000-memory.dmp

Filesize
12KB

Download
memory/852-77-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/852-80-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/852-84-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1452-55-0x0000000002570000-0x000000000259A000-memory.dmp

Filesize
168KB

Download
memory/1452-89-0x0000000002570000-0x000000000259A000-memory.dmp

Filesize
168KB

Download
memory/1452-54-0x0000000000A4D000-0x0000000000A64000-memory.dmp

Filesize
92KB

Download
memory/1732-83-0x00000000008F0000-0x00000000008F4000-memory.dmp

Filesize
16KB

Download
memory/1732-81-0x00000000009DD000-0x00000000009EE000-memory.dmp

Filesize
68KB

Download
memory/2832-20-0x0000000002490000-0x0000000002531000-memory.dmp

Filesize
644KB

Download
memory/3160-56-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/3160-53-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/3160-49-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/3160-74-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/3548-97-0x0000000000BB0000-0x0000000000CB0000-memory.dmp

Filesize
1024KB

Download
memory/3748-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3748-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3748-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3748-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3748-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4040-30-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4040-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4040-51-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4040-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4040-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4040-34-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4040-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4040-59-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4040-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4040-71-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4040-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4492-117-0x0000000000A40000-0x0000000000A50000-memory.dmp

Filesize
64KB

Download
memory/5048-2-0x00000000027D0000-0x00000000028EB000-memory.dmp

Filesize
1.1MB

Download
memory/5048-1-0x0000000002730000-0x00000000027CE000-memory.dmp

Filesize
632KB

Download