Malware Analysis Report

2025-08-10 18:25

Sample ID 240115-ffv2tshfbq
Target 259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c
SHA256 259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c

Threat Level: Known bad

The file 259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Downloads MZ/PE file

Modifies file permissions

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:49

Reported

2024-01-15 04:54

Platform

win7-20231215-en

Max time kernel

298s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e7d28f56-34ff-4120-a059-484b3944e21f\\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1232 set thread context of 660 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 2704 set thread context of 1984 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 2844 set thread context of 2016 N/A C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
PID 3004 set thread context of 1100 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1392 set thread context of 880 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1568 set thread context of 1608 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1200 set thread context of 868 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 696 set thread context of 564 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 1232 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 1232 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 1232 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 1232 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 1232 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 1232 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 1232 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 1232 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 1232 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 1232 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 660 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Windows\SysWOW64\icacls.exe
PID 660 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Windows\SysWOW64\icacls.exe
PID 660 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Windows\SysWOW64\icacls.exe
PID 660 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Windows\SysWOW64\icacls.exe
PID 660 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 660 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 660 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 660 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 2704 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 2704 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 2704 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 2704 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 2704 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 2704 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 2704 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 2704 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 2704 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 2704 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 2704 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 1984 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
PID 1984 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
PID 1984 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
PID 1984 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
PID 2844 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
PID 2844 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
PID 2844 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
PID 2844 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
PID 2844 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
PID 2844 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
PID 2844 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
PID 2844 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
PID 2844 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
PID 2844 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
PID 2016 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 768 wrote to memory of 3004 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 768 wrote to memory of 3004 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 768 wrote to memory of 3004 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 768 wrote to memory of 3004 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3004 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3004 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3004 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3004 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3004 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3004 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3004 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3004 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3004 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3004 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1100 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 1100 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe

"C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe"

C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe

"C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\e7d28f56-34ff-4120-a059-484b3944e21f" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe

"C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe

"C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe

"C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe

"C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {712143BD-0B46-47E6-B63D-EF6FCB6F3458} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
KR 175.119.10.231:80 habrafa.com tcp
AR 186.13.17.220:80 habrafa.com tcp
AR 186.13.17.220:80 habrafa.com tcp

Files

memory/1232-2-0x0000000000540000-0x00000000005D2000-memory.dmp

memory/1232-4-0x0000000001D50000-0x0000000001E6B000-memory.dmp

memory/660-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/660-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/660-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/660-8-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1232-0-0x0000000000540000-0x00000000005D2000-memory.dmp

C:\Users\Admin\AppData\Local\e7d28f56-34ff-4120-a059-484b3944e21f\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe

MD5 d51a96b944ce06d2e91d5f61ad34a0a5
SHA1 b72b5aa08803dfe2e63910bee28abefdd33f285b
SHA256 22be52ae77a44f9e67be35946a244e21f9bea945d066e2b0f45007d638cb5c64
SHA512 bae681b1e3696d6eb2b3f26f4f984a076d369e6350dd4c9de19f2b13562ca2df7a6c533423f872a401f63140114570a7cff901cf86fac31cc72c87d1cc914262

memory/660-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2704-29-0x0000000001D30000-0x0000000001DC2000-memory.dmp

memory/1984-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1984-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2704-34-0x0000000001D30000-0x0000000001DC2000-memory.dmp

memory/2704-27-0x0000000001D30000-0x0000000001DC2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 6462ee0f7a0fc96b728c1ad537f2faa3
SHA1 961e9026b6b729d5e231cecc5dbd3bf0653dd28f
SHA256 e7d61da0ca85f3c7d05f482ac7ad1b6da568790d7f87cc18301b974cf3bc4f72
SHA512 a81c6fc50fc8f8b34d61a799743727d5bcdb97543db8936b0c6837c0f9c6e23f61e1f05cbaff09fb039b4575e013d1728a8256c7bbffeba7ef803ef4b398f8a4

C:\Users\Admin\AppData\Local\Temp\Cab54E4.tmp

MD5 dc38d629e51926a750b443772d7c8c65
SHA1 2868765523e76b2e6706f18ecb665f4631a00d00
SHA256 21a98ea45d4ca76fc03cd769b01345da379395b41295e1506644149d0a378883
SHA512 beb8198332e8771a0475a925a4b31a8a80df9a04dc889442d1a4e024b1b66709acc3e347d50af1868d5d0c351d489cd454fc2523f752ea9dec56b9a9d6048ef4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de8ab5a0d13b7007771a47c4b70435db
SHA1 6efb6a986fc2e5d9855a6d3b47e11b705fe73b40
SHA256 0a1736a8697114857fc3fa89b58229e2251b97db5a2bf34f76941d10d2f8e43b
SHA512 c1ffe5efcad8e1d477a22720c811953ca2ee877739dbe2ec4021747358707e48bd4180df3fa6ffe09d43f0583ff0ef21941ab49e8feedc8bc871d12315879f53

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 eab19fd0d019757c269c843cb85a3a3b
SHA1 4c798d97a9e9c482c8d3c4e4c0706296fb35bb80
SHA256 d7f27496fc56cbc5ddbbd4cc9f7c4d4b47a443890dc9e68ab3961c9d91dda7e6
SHA512 2de5077e13cf0a4eb672aa95a0354b199c9ec7e9d5142e63222f3d0e7b956723212dd19432bcae8fc832b6eb4c8aed9f399c4feaa03670e885856ca7f89b1092

memory/1984-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1984-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1984-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1984-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1984-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1984-58-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe

MD5 69b5f96804d63beab43c4690cf109814
SHA1 be39db1c3c32b8add8783d90e17a54263883425f
SHA256 88f5a9b9c8916ef65ecf53cd0a9e110261b338334acb09579e16f982be253ee8
SHA512 5d72442cef0c778dcddb78751ec1999318930c1d16a88ee963e781572e09d9237339a9fe3fcf67e1fd0fc5638d084ba53e01363af8684eae5bdfcca244164123

C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe

MD5 eeea38588fb7779b64a08d697de74b2d
SHA1 a14a07e264f2699ca081fa236569e8803fcec7ef
SHA256 bffba33f245f868351ba0b86ddbecda64e5b57aefd153918d777fbf910b5b00f
SHA512 77c123984ceffcedbdc9e6eb99dd3918071ddc0e1d2eff1ebdff0e182230f141ad5f8ca339a63cbe6189c7e623b356b9d9ae4c9bbec9d53becd27bf61eed6b16

\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe

MD5 8b6a819c6926597dfa7529b692d7a6cc
SHA1 50c535e9cca464afd3a589d2231d87ce417d4312
SHA256 b9cb5501cc2d257e049e1757062523c7f9ee5a85d57d46538fe492125befd26c
SHA512 dfd28b270d99ad89f8ce1df9750b92ff558f73fe2448bf182b5c1c05c7b180bb29175eeaf5a7c918791d64b36167fc1a6044f1aaff838e02e878782f5f6c0ba9

C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe

MD5 22f566a6872db475990f49438cad2f7e
SHA1 a34d58ea8f06a349499ab2fc98618c295b1ee647
SHA256 382f7f2614d7dbb9f04869de5299c768fcff9c62f9808c5c14a6a822b2924b74
SHA512 b27baa18c577bdecdf8cede0ac8d6ce1e00f5b68c8e4d4e96010e2b66437e9eabff04140137468f64a18510e5faf3d7de1a761eab8d8361bfbdc9c711c2aacb8

C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe

MD5 9da9fcbf2004bd6e092e999264c9dd70
SHA1 c17d53b3e1955b92a83e610765080b8c0e1f8051
SHA256 32bfabee3c5bfa62a18c1775cd9240dd91769278a81d75896a3127ebcb626726
SHA512 7a695a9f4dc6e4e2b206c5661fb0dff98f8fff4de076ccb2945d6b234dc272f7ff55ca2ade49d0ca60008bc1a66bdbc044ddeb37abe5e8a981026c2ada5f3504

memory/2016-76-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2844-78-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2016-83-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2016-81-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe

MD5 c14d3c1daefc7e9e61f4f3ecb196a072
SHA1 bee055bea9fef82d9cad9048a33cc1846fff8fb8
SHA256 75ebcfcd9ff6016bfa03591fe7eb04c86e022083f7a95321b69bc10a68719855
SHA512 bcacb8f84e405362260f3eec93bbccb37dc45f15117f7e2388dbc6a8133d1b50fc89e95f12a88fd450681391a9f2eff8ef1c06e18cb1e1182f764c3a6436fe47

memory/2844-77-0x0000000000C30000-0x0000000000D30000-memory.dmp

memory/1984-69-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 4b3fc3105731c7ff3a7e3966416912a2
SHA1 0e792bf25e8795158074fa6bd2ee87ad16675124
SHA256 c0f698bcc4324958848de5d8e1b1bdaed5e01632d8c827a5a95356eb04a2c443
SHA512 6ed5ee0139d9d9a676232a6c5d6e9a8528f880025a11fccf8a1a32a999ae5fac41f993c384fabec788e4e47da714d67f1def0348da6b0f4392e7fc7ff1098c28

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ff59ea1d59b4c977ecdf579de18781a
SHA1 37412c5635ea4180957984d0ac8dc5819463f82d
SHA256 1cb305547cc2d78483cb2ce3d481620428767cd1c44e409f5cf90aeda9c47f5a
SHA512 b5c52cc8040ba74d577b261f12b6382180db71797aa4a39a6a96b25ada98025be3616381684f839806f62a36b62fced08edb5ff1e7829c5bb2301dd5f56e4b42

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 259d74ac1403a3e2144e23a3050d610b
SHA1 cc632aa69a799b422e0faffdde605ec78d9bb310
SHA256 211f13c11f4281bc844099836f0dd38807826c76dac057e3db7ab6fdeeeef51b
SHA512 698113e9488202c8ea8c4b14be9b3f4ccd281bc11c364bc364222ddcfe412674fecddf5e5200407eb1e051fc3a3cb7bfd12a3ac4c2a59304ad59e5ff73262fa8

memory/3004-90-0x0000000000880000-0x0000000000980000-memory.dmp

memory/2844-96-0x0000000000220000-0x0000000000224000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 e9831ecd7df9b3c3c426897bc93cc9d5
SHA1 88f3641b08b040734c83589bf2436fee926d1f2e
SHA256 f8cd0322bac1b1e1a04d1b4be1a4e893792090fc864bc3ea51d78e6b98f99ee4
SHA512 9fa0d9261fda5a373306ec09b0e6597659437c9fe8dad8f0722b63de45a05e0eba2f85cf2f046778334668ec095456b24c57d48a9db7ef3ac98e298c4b53af02

memory/1392-118-0x00000000002F0000-0x00000000003F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 967e39a49e4faaad6896141a43ad9f52
SHA1 a6ce3181fc8e5fdcfdced9d0d1d12701565ca2f4
SHA256 76c29f45967335894674f3833a039731a2adbe4fee70308d41fd5388a474bd66
SHA512 1c72662c4a67654189c833adb289b5bf9e1ec565e2caf596427dcc819ee9aed40a542fb25ec0a27688f7a6799359d1259897e805d8b92d66caa0ba35737d184c

memory/1568-139-0x0000000000952000-0x0000000000962000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 dde36f65adfd1c6a0c3c1957265fd03a
SHA1 6381758199ddb003739da7dc95145628cebef393
SHA256 b45104ab4ed7b174859b33240dbb47344faa5789844f72be44397dcb063329e2
SHA512 8a4a8880a769dcac006dc83dd0e04b5d6e3273064340f461d57015a460b2dc24061c73e660e120bef049f43173d88a0c9af27e044af67c0f17a7504b1c546378

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 4f4cc162cfdee11dcae198a4203b9076
SHA1 3a225cacb10541f7f7b006565c48dc0abcc1e335
SHA256 fd4c1b8daa70eb8fc728ca5054af55992048862b67cc2983b6d538eb34d80342
SHA512 1f2ccedaad2838f4eacafd08212fadffa81a1f38c022253a1fddee771347557f2c57fc13a714d19f96f64f11bea250c5030a73debb68e60d3983bcf636c7beb4

memory/1200-161-0x0000000000312000-0x0000000000322000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 8fba0ecddc1f7635ee45247a0e021f9b
SHA1 7a430a8fa16ea782f0d8f426b458080a4ffc7bc5
SHA256 4b4248693138f01288b2204b9833ad2ddce5649c8b1bbcfa4b3b6699b3633f52
SHA512 7ef100331fe10a9e3c677ea548196de292568c6cbb253c9b11b43eeabfc43837dc0ce1673d47c4308c2f3f212b84c2846b92cd0b379cde3352626cd38450da30

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/696-184-0x0000000000870000-0x0000000000970000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:49

Reported

2024-01-15 04:54

Platform

win10-20231215-en

Max time kernel

1s

Max time network

250s

Command Line

"C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\fc7c7492-46ca-4ffe-a76a-dee17d408988\\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4460 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 4460 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 4460 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 4460 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 4460 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 4460 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 4460 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 4460 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 4460 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 4460 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 3752 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Windows\SysWOW64\icacls.exe
PID 3752 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Windows\SysWOW64\icacls.exe
PID 3752 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Windows\SysWOW64\icacls.exe
PID 3752 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 3752 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 3752 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 3460 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 3460 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 3460 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 3460 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 3460 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 3460 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 3460 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 3460 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 3460 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
PID 3460 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe

"C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe"

C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe

"C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\fc7c7492-46ca-4ffe-a76a-dee17d408988" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe

"C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe

"C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\2af8329d-97db-412c-b7b8-ee8aad40aa0e\build3.exe

"C:\Users\Admin\AppData\Local\2af8329d-97db-412c-b7b8-ee8aad40aa0e\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\2af8329d-97db-412c-b7b8-ee8aad40aa0e\build3.exe

"C:\Users\Admin\AppData\Local\2af8329d-97db-412c-b7b8-ee8aad40aa0e\build3.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
KR 175.119.10.231:80 habrafa.com tcp
BA 185.12.79.25:80 habrafa.com tcp
BA 185.12.79.25:80 habrafa.com tcp
US 8.8.8.8:53 231.10.119.175.in-addr.arpa udp
US 8.8.8.8:53 25.79.12.185.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/3752-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3752-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4460-4-0x00000000023A0000-0x00000000024BB000-memory.dmp

memory/4460-2-0x0000000000660000-0x00000000006F8000-memory.dmp

memory/3752-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3752-1-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\fc7c7492-46ca-4ffe-a76a-dee17d408988\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe

MD5 895cb14fd41a22e2308a95263ec9ff7b
SHA1 a8f7867c654290071d0d0398bb6b1c83e8ea38c0
SHA256 8c3aa8c0f81bd55e0bd9a58cdff549d9a45cc1330119a327159c7255a33739b8
SHA512 f7402cfa6a5e44ec118d14c43c0850ca6695aec590d05361a9611be905e10e1145be98ff2011ddfa3ccd3ea83e555724cea8f6ce021572e3dbe72f091efe5f77

memory/664-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/664-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/664-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3460-20-0x0000000002000000-0x00000000020A2000-memory.dmp

memory/3752-17-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 3c3a63faadf555ee93bf2e83b6ebe1fe
SHA1 3498135e68f00fc3c97c65003771c73b1fc475e1
SHA256 3e20395d60b0a6ad75ef8a1156838ef1abca10c292347a617de72b1226065f35
SHA512 25b0e8736e644c87e52f12c6ceaf9bb5911af909236ea65091a13312edd20b7dc036b58d775ddee575ae4a74473709d0f3b77cdad9c10fe3ed2794aa7762fb13

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

memory/664-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/664-30-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 9cc1977b23fb385caa5defc738fa074e
SHA1 9d3ee63d8333d4414afceee9c8e15c4e1411df2e
SHA256 befbd5d5a22aa285c37b6eff8673c6e04219f427ee42169dd38508066baaa1fe
SHA512 f6ddaa523c854fe02d93052aad56b00462d86a5b226a181b7cc94cbbc3b264d817162b7ed12047bf2338cdca6c982ae5d327ca3f77ea021b92613591b1157ec6

memory/664-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/664-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/664-34-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\2af8329d-97db-412c-b7b8-ee8aad40aa0e\build3.exe

MD5 341600276b87f80e07f34f1b6c8038bc
SHA1 67d4c4e81d7e85ea013ba02d8e29ef5ce67d50b8
SHA256 653cd9ed62bf0ee54e1a48c33705c9598e9da24a23bd751071c58f905699b76e
SHA512 46f1e26856a801de8815598c3d2fdc5945e911227824b7996e61d7c049e3ae23c86374d0bba7099ee6623f57712bd565cc13df3bfc21924cdec0be48e9f18083

memory/664-44-0x0000000000400000-0x0000000000537000-memory.dmp

memory/664-46-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1276-50-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1276-55-0x0000000000400000-0x0000000000406000-memory.dmp

memory/928-54-0x0000000000A30000-0x0000000000A34000-memory.dmp

memory/1276-57-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1276-58-0x0000000000410000-0x00000000004D5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 5b6805ce19a9d692775fdcf07621fb90
SHA1 fa41add6cf3aca32261d05bed20f4d1c4c4e7753
SHA256 c10230df14526df0bd2c32e83770bc344a69b6806c39657d365b35dc69ffc203
SHA512 c976b03cdd951da99e831ada7023a8918f36d0435c2009d9309374ec8d2181239f12bf339c5d07b3cd00ae4fadf3846bbf441c8619beb46c5785c8b3f16671bd

memory/928-53-0x0000000000B20000-0x0000000000C20000-memory.dmp

C:\Users\Admin\AppData\Local\2af8329d-97db-412c-b7b8-ee8aad40aa0e\build3.exe

MD5 e8c37ac0c4dd6c1450b8c08d873773fd
SHA1 49682bcd7d080ea60c34b932c32d8658f7bc7f92
SHA256 dc91b0d0c8fa8e706a86e4f527db028cbc57add4a18a9dc37e181d6bed9ee0f9
SHA512 2050a2d55bbd73aa97b6db510bf7646093249bff375284238f8c123a52abb25aa870c17fde69c962ceca4251d3e9bf364077143da385456d1dfcf88cbe75fa18

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 59892a39ba2b2717aef3c019564097b1
SHA1 342361c03743020a822d72d5509b6bb270765789
SHA256 925b8880fa83170f3838abbb18c9a6106de9c17801e215cfe963fe0dbff362fa
SHA512 23e23f539fa933ebd2d9aa08666af298f19da820c10039c56a2c25f62aa958ad7c56d00421d1bb9e39847ec4d331f7584b9d6a7a79112a5bf0f84cac126b9378

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 67e826443af0cdc24b8af2c6bc534399
SHA1 0109f1a4fd0cf4e1a5c3527330043474e57958a0
SHA256 e8aa30d33d12822ca96df7ba8ca952dea53d6cfaf1d47035e57b3a5cb790573f
SHA512 138b878dba5ba66b8091ba277585c4a426f0ce553ddcc0f1c8baa79c513d729d3714d51cfe243d9bc468ba669a1299458a887dd7c8dbe236c138af202404d640

memory/928-64-0x0000000000A30000-0x0000000000A34000-memory.dmp

memory/5088-70-0x00000000009F0000-0x0000000000AF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 b05cd04bc58650a405cb7c7d8d6fa373
SHA1 4d02eb24b7ee9ba78a8f40fad17528a280c3f0e5
SHA256 e0c09078814869d10d681165dad8ec40757fdcaefd16a86a500171db1ef1de55
SHA512 8f26cbf34f95084f94ae07976ad05cc85fd26e5d61084adbafdd950d04316f09781ea3fbe5db06e11acc3f00f78db964b2cbcf7f4bbce3d104e6e6fd16856186

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 a11428adbd11e433a8f87cc5095c090f
SHA1 df903c7aebb264282ecf0071b28f11ec2901a59b
SHA256 0410d150f7d6670d35dce7f9522d6fa8f49ca0adb6a04e730842e9791b2d73ee
SHA512 3cb47f45fc7f9e7e7219081f2da4793ebf2101995f4538877d9c2dbeb827256d8d29e5873c497ebad3e0d824dc5fb3d86ab3cb08d335b3ee57fe5f275f8b87c4

memory/3860-91-0x0000000000970000-0x0000000000A70000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 f90b73a4871f8f947904cf1d64d6f843
SHA1 fb842fa3ef0423d5c11304f162ed8810143169c7
SHA256 26a2d08de06f31db8058b4599d182f3965572a44bf17e8a7409a711135dadcef
SHA512 0624012e75210b1148732f00f75c306d35f3d814c1e34ebc34035f1564e98ad5c04b3c06259fe9ab3f4d05692bbdea667c4e7b9b3c8805216a180e70f70dc6a7

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 d3c0700242c3bc72c9b415fdb361b6d3
SHA1 47c0df71abd59089bdd208ed2b4a1089cfb2559e
SHA256 62b924149af8b528b16c28c6d9f26fb5fd657b57815a7210d143a49561273584
SHA512 87ed9f82e91a38f72b32a1e0d8c7c0349613f115096812ced2dcf2aa2b716e9f386b4913b1cbc843dcc76c71e505380f734830f58c2c83039a1011316b3d1183

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 a9f1932ca79889a71338ade9e343889b
SHA1 d72870980c6f7ebed5a1cd32fc9227fe13fcc8b6
SHA256 977b1d6d3c599c7e22f1714b78b0268c97204783b06357d47737e33ec1f93469
SHA512 e425d60b4bd32684ec962de8436d49d01d7c9bca2cd05559b5d0110c2f7debea35ef74af9f3b76b4e50a509feed53fc8c49b08f2b647ed5c8f78914baf877b1d

memory/932-113-0x0000000000A00000-0x0000000000B00000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 d35c806c95b926208b06f305860de044
SHA1 fd111b2072749c0e2b3f1bb7102e4fbcdd8b931b
SHA256 722325dfc7e0a3d8b9c5bcf978e54f9a90a83ffa5d14372a51dc7c3609fee061
SHA512 cb5f66f83bd6a8ddad6d740479d17352d3a8249ab6fec7ea0ee071dcc7f9855ed378dee61bb65e92d272e3fb8187282ce08d0694550cfa610bf6e6508ec5b6a6

memory/3420-134-0x0000000000B1E000-0x0000000000B2E000-memory.dmp

memory/1064-136-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 b3087de634ee92a4bcea1f514761f285
SHA1 e0b309fd3c6031c23353de3377956c1701fb84c8
SHA256 663bd047fd9fc486b61d488102b158d9773a718d56181a163173cb246547127f
SHA512 02f17c22d320d90e3e59871b9e708e53d897381119c482cf44f5fcb858e70a3162c314b677fee8ed493fe21d5af6369847fbc0c9aec54c4a10a6739ed4b151a6

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 ba36023bd75f597a13ac91b1bc9acab1
SHA1 9cca1681bcafff14cb8c016e76d5e06112f3035c
SHA256 a1fb686ed2519dc1a022858f188866ccce15bb17a3b8d8861bab558404d92f8b
SHA512 20d94aaf2f687e6db080267567486983daf34acc2c5e533358ff997a3ce9b64206520b400b662948289e9d6a5a60301da62f53074d62ba899c16255206c5de63

memory/1992-156-0x0000000000B0E000-0x0000000000B1E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9b68e88a96e9bd56293f4c8b39314178
SHA1 a510f7c3d8783d7b8c1335d648cabe70db306840
SHA256 73e41876c3fdb962cd993c53d72b055fd7554669bfa8a9ed0de2621cf92f6052
SHA512 181322e7bb160f4a6945b5cbc820e39f1ae29e84b9b60bd64e942d9f281f4599e709716bf80ec54b6c39f7f4e3d6d28ec321970ba28617af8027189951eab513