djvu | 7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4

Analysis

max time kernel
6s
max time network
299s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
02-02-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
Size

729KB
MD5

3f51b9adc83302f0a3a63a9ce89b5a25
SHA1

934d5c5b4e3c86c9ae3e7df7150cbdee9d24c113
SHA256

7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4
SHA512

d7f5d7a15bb6df80234c818e8e92c310643f3493030ac6cf02f7c8865e97125ed530c0a9819b22aec0311b34d329239f33cd4563238d198e6a43b1ca5a90efc4
SSDEEP

12288:Yd+RYmXPSXL6YOcrS0sKN+mR7Z1JFVFaM1Nolw6OWqY:YcXX6LOcrSwNXR7TOMXcOWH

Score

10^/10

djvu vidar 1b9d7ec5a25ab9d78c31777a0016a097 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3544-53-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/3544-54-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4428-52-0x00000000005C0000-0x00000000005F0000-memory.dmp	family_vidar_v7
behavioral2/memory/3544-48-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/3544-77-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1812-3-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1812-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1812-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1812-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/312-2-0x0000000002270000-0x000000000238B000-memory.dmp	family_djvu
behavioral2/memory/1812-19-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/832-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/832-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/832-32-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/832-31-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/832-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/832-38-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/832-39-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/832-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/832-55-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/832-72-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3384 icacls.exe

pid	process
3384	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3cba9e6a-2a45-4837-9c02-4821fbfe49e9\\7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe\" --AutoStart"	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.2ip.ua
2 api.2ip.ua
10 api.2ip.ua

flow	ioc
1	api.2ip.ua
2	api.2ip.ua
10	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

Processes:

7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe

description	pid	process	target process
PID 312 set thread context of 1812	312	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 2156 set thread context of 832	2156	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2972 3544 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2208 schtasks.exe
1392 schtasks.exe

pid	pid_target	process	target process
2972	3544	WerFault.exe	build2.exe

pid	process
2208	schtasks.exe
1392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe

pid	process
1812	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
1812	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
832	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
832	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe

C:\Users\Admin\AppData\Local\Temp\7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
"C:\Users\Admin\AppData\Local\Temp\7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:312

C:\Users\Admin\AppData\Local\Temp\7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
"C:\Users\Admin\AppData\Local\Temp\7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\3cba9e6a-2a45-4837-9c02-4821fbfe49e9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3384

C:\Users\Admin\AppData\Local\Temp\7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
"C:\Users\Admin\AppData\Local\Temp\7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
"C:\Users\Admin\AppData\Local\Temp\7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:832

C:\Users\Admin\AppData\Local\759f6d19-5edb-4a9c-86a5-44a4162df94b\build2.exe
"C:\Users\Admin\AppData\Local\759f6d19-5edb-4a9c-86a5-44a4162df94b\build2.exe"
5⤵
PID:4428

C:\Users\Admin\AppData\Local\759f6d19-5edb-4a9c-86a5-44a4162df94b\build3.exe
"C:\Users\Admin\AppData\Local\759f6d19-5edb-4a9c-86a5-44a4162df94b\build3.exe"
5⤵
PID:1540

C:\Users\Admin\AppData\Local\759f6d19-5edb-4a9c-86a5-44a4162df94b\build3.exe
"C:\Users\Admin\AppData\Local\759f6d19-5edb-4a9c-86a5-44a4162df94b\build3.exe"
6⤵
PID:2520

C:\Users\Admin\AppData\Local\759f6d19-5edb-4a9c-86a5-44a4162df94b\build2.exe
"C:\Users\Admin\AppData\Local\759f6d19-5edb-4a9c-86a5-44a4162df94b\build2.exe"
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 2076
2⤵
- Program crash
PID:2972

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:2208

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:2592

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:3568

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:1392

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:1084

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:4124

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:4184

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:2512

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:4304

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
7b0c931c9e5f4ae3b486907b8e65fe09

SHA1
abb761d0fe5318119a8a21204b56840a83c12584

SHA256
d21cfbea4d9bae6d62238f6c73b0c9d2b85ca549cd6c404d013e9f859d1e4fd8

SHA512
2f9a996f02606e5a0c8a288045644b43b45401f1bfd7dcc8593fde95573d77ac83b466af1d3b019f6ae444304f7c564a4685f751a68cb04d8f014d7001409c32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
86cf961497152d48b1a005eb6827a8b4

SHA1
b4a8b0952662b44e41dc1825186c952877aa2337

SHA256
0092e25238c372d4d10920822ba2000542590878fdd449f05d5736cc2418c210

SHA512
4009f5c245b44cbbd08d4c7db0e505c28c576beb8b196fed9a162be72759a18da14dbdd82b1108766ef201385bcb41873ab23d20b40aa1cab298078d0afba17f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
1b49c975ba3a428192ae505c87cb26e2

SHA1
813b4dea368a56bf1832a3f9c96a4116b04ed7c7

SHA256
02bddd63e063ceaf7ddd9118e12feeab6da92530fb62d5ee839ef347482d11ba

SHA512
4064f3b7bb0ab0461195722c0b212f8f9422b3b4b27dcf03053d0568551baa4e388f2c839cad9966936c889e43a427dd2c4e20976c52d539436ba724fabb4955

Download Submit
C:\Users\Admin\AppData\Local\3cba9e6a-2a45-4837-9c02-4821fbfe49e9\7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
Filesize
63KB

MD5
e4d862488096ab3be7101d60a72e0dbd

SHA1
dbc24db6de7ba96f9d2454a54d44625c6029622d

SHA256
c9bd91a29deab1d32325b048f6506ccd210196fee29fd52a31130989775fe775

SHA512
c3d30799d2577d60f17198715a79c2008717d9cfd5dae21c527ef0f2256a41b5c90267031c08ad9c63fc91aea27de812af377f5db00dd2ebab3584991645c45d

Download Submit
C:\Users\Admin\AppData\Local\759f6d19-5edb-4a9c-86a5-44a4162df94b\build2.exe
Filesize
175KB

MD5
1e4500174508282108cbc9425b81b501

SHA1
984d05ea109238daa50311a5ba0a83f7359a2cb2

SHA256
afa32d3c6e12717f97ae343b4611303a6fe94bf228e306244fa958cb4876fcbc

SHA512
98f04d7afab5f57e926b00140b91a2f19444e6ec4febe63a7c177bd1a56e21b8bb1052acc4b051d20063bcda38754439f63e9e901ccbfc23bdfd14de682a556e

Download Submit
C:\Users\Admin\AppData\Local\759f6d19-5edb-4a9c-86a5-44a4162df94b\build2.exe
Filesize
1KB

MD5
4b49c6fe09c9c2d4b59bd6cfbeacb12c

SHA1
34592ba710ba16b6df0cda4dc8cfd6db93600062

SHA256
284c248d8da39b056cd78802f016eeecd4d0f55c272de796f9fc3744d3db67bf

SHA512
4a31d9edca2c3c4b21113489627930a2bc444c68a507c08b72ae15f41d23d555b75b4bfe84ab81dd3891735057c0f6eda89143ba49b8940f0a0c7b9e6501d5b3

Download Submit
C:\Users\Admin\AppData\Local\759f6d19-5edb-4a9c-86a5-44a4162df94b\build2.exe
Filesize
38KB

MD5
d50583a17cbec0a2c8fda6d01783c453

SHA1
65453f118d9cd3628c71af948a2e7c4914a43e52

SHA256
44ab3662c1404407c5aedd7bb38214cba565ef9fa423850d44316d5ecff980a7

SHA512
a37c63db77509b260b7d5581b307620eb9db7d118b7f837d6b709aec4fb9e57a56b460d1006ec733ce216380808e97dd39bff90ab859c47c03b895721c84331e

Download Submit
C:\Users\Admin\AppData\Local\759f6d19-5edb-4a9c-86a5-44a4162df94b\build3.exe
Filesize
79KB

MD5
8e9ec1ee79845cf2f579600eeb892dee

SHA1
527bab5992a312b5475806f11ae8b54422c9a1f4

SHA256
69364418b53e1e4e2e19d87ea9bdd63bb4f2623877a1be462f5c85810e95303a

SHA512
da3713b786d4bfbc996556f1d83d192c78e1c9dbe132302e08968a83d3471bfbb0bd471b33902af694b07edadb72ece1c6b4b86ec2830485bf0a3d1e3570318d

Download Submit
C:\Users\Admin\AppData\Local\759f6d19-5edb-4a9c-86a5-44a4162df94b\build3.exe
Filesize
101KB

MD5
ff0b65997eaa77a8869d011a3a3b12fe

SHA1
a422447cab1d15b9f8de741dc1d55e99145fbcff

SHA256
bd7e1800b5b81ab6cb893057647ddba63f29580a9a3da3a975319bb1f6cbda4c

SHA512
b2582251c988d6a4ba8cbdcb2564d5783a20ef19fd99395b599a69950ff5cadd51b4bda94cd48f0ea45d02f47c391d4da544ed2974d2a2588e8c0697441f2e36

Download Submit
C:\Users\Admin\AppData\Local\759f6d19-5edb-4a9c-86a5-44a4162df94b\build3.exe
Filesize
290KB

MD5
a856f54925d2b1b89ad17a851d63e319

SHA1
5c27204c9bf9babe0e2c066df15c7f51fb02458f

SHA256
9f4ecee7260cd8361ee548c7ffab3d9169fc5dbcedd2d952eb46123f339856b4

SHA512
4f82d73e058802e88edcd909cbb54fef6d3af4c572d0ac24368d95d2d378b1dc106ba61aa32a71fddab0c3e5b3dab4bfc6915c1590b0b9ea0868de52dedb9656

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
290KB

MD5
c962bde7b8cc2acb4be55e2f048145ac

SHA1
f0b6ba5b68f748aa8e8659f910a370660ff41606

SHA256
7e33e6a95a776b7f2820e828292d4647fa31965cc71f791fcf0838440b1fa729

SHA512
0c7bae21553cda09b3ce9a7a71cd63418b2b5a1d267307e93cd82d42f7183060d64d1ee4184f28935db9aa45e3f1cb5fbae0f0b12be1942b92f866a35930dd61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
273KB

MD5
cadb4f4edbd3f368ee11a26d45e43735

SHA1
c8df439594b2f3a0743dc3b32ad4ec9ba86f4c25

SHA256
575db38ab385b8efa8662fd60c6f96db4aa93d62933af91435820cc15a714603

SHA512
0e79e2e0c5447fbba922a11c5ac24c7330d36637e1408aa2966dd234dd563686b4b87d27e0a878a9516aa877763aab78644865819d5a06990348dd434b19dcbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
33KB

MD5
05dea77d5a4b9b4bd4cf59bd384f31d1

SHA1
6e600029010e2de3be2315b9e7bcfeedd4fdcf7c

SHA256
5c209d581e1bd53f79b635612738a10aaf6000b6e4d324badd7ec3cb603385a3

SHA512
4142ef3dd49d17de46fdeef797c2c08dfed28b92364191ae73c8eac12e1d6ed07763df4a06996eed9d4a56f7667b0a97731f96453d2b4c513757ebd10c6e2280

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
55KB

MD5
9dcc42701ec8170e526114c1e5552616

SHA1
ee267d268e36940b0a98b41ea979f47d7b4b932f

SHA256
9a7b85b98223eeaec6d232a33bac32fcccaad78adab5963be435e69a2070188f

SHA512
dd4b4d00cee45c338ec05f255962caa91eeff4e96509c0bb7b5ddac78ae302fd330c48901a1155651727530e180c553a934567c8fbde4ca36722536350c47bc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
93KB

MD5
dfa9eac167bee93c990496311bfa0620

SHA1
5e0428a3d2bc6e3c3547f44aba0298a0f49d3746

SHA256
028064851659f1c19beeeaeb5389ea8492a87d38faf3a3f29bc443c4fcfad6ea

SHA512
a09fadf462bfbaa7daec52efce887011c3c3ff26fe9a6cc98ac7953c0b0df7a1877f85685f984d1d91c3100f2ceeeae8606a115325d08a40067c28242935fda4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
147KB

MD5
bbf700570f07703e95885207e3e953d3

SHA1
4f2dbcf9cbc86ce37e71251b3d6d05d7ada481c7

SHA256
b8345d1f2837bd3454f762d32fa2b08b7d5bc6c6de3ae3dd36f3013d5a680fb8

SHA512
0f98bdc75d3b77d8fd6dd166a62ba2e048781161654b42522eddcf2a5893de51b673823558578e003216060f42eb38c6b632f9e158c5b9982a3da0c4b78c4ba7

Download Submit
memory/312-2-0x0000000002270000-0x000000000238B000-memory.dmp

Filesize
1.1MB

Download
memory/312-1-0x00000000020D0000-0x000000000216B000-memory.dmp

Filesize
620KB

Download
memory/832-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/832-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/832-31-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/832-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/832-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/832-72-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/832-38-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/832-39-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/832-32-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/832-55-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1084-145-0x0000000000A40000-0x0000000000B40000-memory.dmp

Filesize
1024KB

Download
memory/1540-85-0x0000000000B00000-0x0000000000C00000-memory.dmp

Filesize
1024KB

Download
memory/1540-86-0x00000000008E0000-0x00000000008E4000-memory.dmp

Filesize
16KB

Download
memory/1812-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1812-19-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1812-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1812-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1812-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2156-24-0x00000000020A0000-0x0000000002142000-memory.dmp

Filesize
648KB

Download
memory/2520-84-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2520-91-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2520-92-0x0000000000410000-0x00000000004D5000-memory.dmp

Filesize
788KB

Download
memory/2520-89-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2592-120-0x0000000000AEA000-0x0000000000AFA000-memory.dmp

Filesize
64KB

Download
memory/3544-54-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3544-53-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3544-48-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3544-77-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4184-169-0x0000000000AE0000-0x0000000000BE0000-memory.dmp

Filesize
1024KB

Download
memory/4428-51-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/4428-80-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download
memory/4428-52-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download

description	pid	process	target process
PID 312 wrote to memory of 1812	312	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 312 wrote to memory of 1812	312	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 312 wrote to memory of 1812	312	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 312 wrote to memory of 1812	312	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 312 wrote to memory of 1812	312	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 312 wrote to memory of 1812	312	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 312 wrote to memory of 1812	312	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 312 wrote to memory of 1812	312	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 312 wrote to memory of 1812	312	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 312 wrote to memory of 1812	312	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 1812 wrote to memory of 3384	1812	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	icacls.exe
PID 1812 wrote to memory of 3384	1812	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	icacls.exe
PID 1812 wrote to memory of 3384	1812	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	icacls.exe
PID 1812 wrote to memory of 2156	1812	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 1812 wrote to memory of 2156	1812	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 1812 wrote to memory of 2156	1812	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 2156 wrote to memory of 832	2156	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 2156 wrote to memory of 832	2156	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 2156 wrote to memory of 832	2156	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 2156 wrote to memory of 832	2156	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 2156 wrote to memory of 832	2156	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 2156 wrote to memory of 832	2156	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 2156 wrote to memory of 832	2156	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 2156 wrote to memory of 832	2156	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 2156 wrote to memory of 832	2156	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 2156 wrote to memory of 832	2156	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe