djvu | 75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1

Analysis

max time kernel
292s
max time network
125s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
Size

723KB
MD5

7d80b0edbef2905f9b7e16495634fb84
SHA1

d890893f51a0fefd83bad32fd002d91bccf2bd5f
SHA256

75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1
SHA512

ab2f98b5b2823095be19c0a5c8fdbe435f1964dab1cef02e2285ae13ffdeda6578a75668142934479551bd2b8de6ea831e7c559c14c568caa113f404a740c969
SSDEEP

12288:USic4OFvNWF8IiYuEa6DG2P56vyGL3wavO0SYn0d3hP2JodZa1TMnplQWWe0N3:UglWF8IQP6DG2P5WNi0SYnCRuJaZ6WWZ

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://cajgtus.com/test1/get.php

Attributes

extension
.watz
offline_id
Lc3VTezPWbMhuVAQFzJUdeA68PwI7UDpc5aKHYt1
payload_url
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284d Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0874PsawqS

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2244-2-0x0000000001D60000-0x0000000001E7B000-memory.dmp	family_djvu
behavioral1/memory/2352-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2352-8-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2352-7-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2352-46-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/948-54-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/948-55-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/948-73-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/948-75-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/948-74-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/948-76-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/948-78-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/948-81-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/948-80-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/948-82-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/948-83-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2520 icacls.exe

pid	process
2520	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3d812bcc-1f2f-4da4-b215-c1d011687e25\\75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe\" --AutoStart"	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.2ip.ua
4 api.2ip.ua
16 api.2ip.ua

flow	ioc
3	api.2ip.ua
4	api.2ip.ua
16	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

Processes:

75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe

description	pid	process	target process
PID 2244 set thread context of 2352	2244	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 3056 set thread context of 948	3056	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe

pid	process
2352	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
2352	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
948	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
948	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe

C:\Users\Admin\AppData\Local\Temp\75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
"C:\Users\Admin\AppData\Local\Temp\75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Local\Temp\75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
"C:\Users\Admin\AppData\Local\Temp\75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\3d812bcc-1f2f-4da4-b215-c1d011687e25" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2520

C:\Users\Admin\AppData\Local\Temp\75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
"C:\Users\Admin\AppData\Local\Temp\75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Local\Temp\75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
"C:\Users\Admin\AppData\Local\Temp\75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:948

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
1KB

MD5
2365869258df7a66a2121b802ca4afd9

SHA1
73acc30a2edeb9d6830de559bb8a74f35168135d

SHA256
d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed

SHA512
795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
174B

MD5
245cbea262d536c26540e4fadf4d9b0f

SHA1
1b299c94c67692ac921f831bc431f90c415895c6

SHA256
c6ef2c0992590a487dcd60272fade51f5da0c72f2115e68a9086a020d77816a9

SHA512
093ffdd43ec3dfcf724eae2fb9684caab0c2636503435478f76b67c70df31d6f71888461f24b1226991646b987658603a5a8ce0c4956d4f980c5f852c8018952

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
bc48bc2168d04f3940d5307125658a99

SHA1
e36b204ef980c2151feb067af220dbf574c30c13

SHA256
7870bd4196b42e5bf97c701bc8d3ef83e50905cdec3f871fe0e4cab9f37c1092

SHA512
7e855fab5a3ccee0528f932501e7d6b5524d358473cd32205be3568a953a944c216f1d8aab4c478a707ab67b5906e903860c8a6435bda7c15367238d79f9e7fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize
170B

MD5
7152320ba1878c788847a282b61350d1

SHA1
a45c436ecaca474b4201decc1a4c52e5a1636bf5

SHA256
49c669f71333a1d560fbb1592792bcfa04a376a9d2f97ba9911d733051423711

SHA512
8ece27556b6b3eb425d2625028f45dd0f9ab8e31e742eed1cfe1504aafb7aeb6650ecb02918fc5aa97447b1c53418a382112628f9b1314c5a37aad9dcd80343f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
e946ac776205d71f492ce99afeb9a535

SHA1
389eb1f3e710fed4268c33f50dc3e87ba70187ce

SHA256
15e9796a4a2999ce1ada67cac2b156870a5a9f157fe5aa7e9f690d615a12f3bc

SHA512
38bdd747ed7ef3275b3473e06060fe3c722ff6af5c64f7e1b136431f8cc77198906e332f94de745f17256fb96d34640ec0d5263644597f12c500799e4c1adf3c

Download Submit
C:\Users\Admin\AppData\Local\3d812bcc-1f2f-4da4-b215-c1d011687e25\75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
Filesize
723KB

MD5
7d80b0edbef2905f9b7e16495634fb84

SHA1
d890893f51a0fefd83bad32fd002d91bccf2bd5f

SHA256
75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1

SHA512
ab2f98b5b2823095be19c0a5c8fdbe435f1964dab1cef02e2285ae13ffdeda6578a75668142934479551bd2b8de6ea831e7c559c14c568caa113f404a740c969

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3BF8.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/948-55-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/948-78-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/948-54-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/948-81-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/948-76-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/948-74-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/948-80-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/948-75-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/948-82-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/948-73-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/948-83-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2244-2-0x0000000001D60000-0x0000000001E7B000-memory.dmp

Filesize
1.1MB

Download
memory/2244-1-0x0000000000320000-0x00000000003B1000-memory.dmp

Filesize
580KB

Download
memory/2244-0-0x0000000000320000-0x00000000003B1000-memory.dmp

Filesize
580KB

Download
memory/2352-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2352-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2352-46-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2352-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2352-7-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3056-53-0x0000000000730000-0x00000000007C1000-memory.dmp

Filesize
580KB

Download
memory/3056-48-0x0000000000730000-0x00000000007C1000-memory.dmp

Filesize
580KB

Download

description	pid	process	target process
PID 2244 wrote to memory of 2352	2244	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 2244 wrote to memory of 2352	2244	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 2244 wrote to memory of 2352	2244	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 2244 wrote to memory of 2352	2244	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 2244 wrote to memory of 2352	2244	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 2244 wrote to memory of 2352	2244	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 2244 wrote to memory of 2352	2244	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 2244 wrote to memory of 2352	2244	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 2244 wrote to memory of 2352	2244	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 2244 wrote to memory of 2352	2244	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 2244 wrote to memory of 2352	2244	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 2352 wrote to memory of 2520	2352	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	icacls.exe
PID 2352 wrote to memory of 2520	2352	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	icacls.exe
PID 2352 wrote to memory of 2520	2352	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	icacls.exe
PID 2352 wrote to memory of 2520	2352	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	icacls.exe
PID 2352 wrote to memory of 3056	2352	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 2352 wrote to memory of 3056	2352	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 2352 wrote to memory of 3056	2352	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 2352 wrote to memory of 3056	2352	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 3056 wrote to memory of 948	3056	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 3056 wrote to memory of 948	3056	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 3056 wrote to memory of 948	3056	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 3056 wrote to memory of 948	3056	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 3056 wrote to memory of 948	3056	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 3056 wrote to memory of 948	3056	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 3056 wrote to memory of 948	3056	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 3056 wrote to memory of 948	3056	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 3056 wrote to memory of 948	3056	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 3056 wrote to memory of 948	3056	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe
PID 3056 wrote to memory of 948	3056	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe	75a54146aef1fdce1499fcc4bcd379ea48ceb0556c6b37e158d87bb6e6d79fc1.exe