Analysis Overview
SHA256
259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c
Threat Level: Known bad
The file 259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
Djvu Ransomware
Downloads MZ/PE file
Modifies file permissions
Loads dropped DLL
Executes dropped EXE
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:49
Reported
2024-01-15 04:54
Platform
win7-20231215-en
Max time kernel
298s
Max time network
157s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e7d28f56-34ff-4120-a059-484b3944e21f\\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
"C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe"
C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
"C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\e7d28f56-34ff-4120-a059-484b3944e21f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
"C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
"C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
"C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
"C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {712143BD-0B46-47E6-B63D-EF6FCB6F3458} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| KR | 175.119.10.231:80 | habrafa.com | tcp |
| AR | 186.13.17.220:80 | habrafa.com | tcp |
| AR | 186.13.17.220:80 | habrafa.com | tcp |
Files
memory/1232-2-0x0000000000540000-0x00000000005D2000-memory.dmp
memory/1232-4-0x0000000001D50000-0x0000000001E6B000-memory.dmp
memory/660-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/660-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/660-7-0x0000000000400000-0x0000000000537000-memory.dmp
memory/660-8-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1232-0-0x0000000000540000-0x00000000005D2000-memory.dmp
C:\Users\Admin\AppData\Local\e7d28f56-34ff-4120-a059-484b3944e21f\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
| MD5 | d51a96b944ce06d2e91d5f61ad34a0a5 |
| SHA1 | b72b5aa08803dfe2e63910bee28abefdd33f285b |
| SHA256 | 22be52ae77a44f9e67be35946a244e21f9bea945d066e2b0f45007d638cb5c64 |
| SHA512 | bae681b1e3696d6eb2b3f26f4f984a076d369e6350dd4c9de19f2b13562ca2df7a6c533423f872a401f63140114570a7cff901cf86fac31cc72c87d1cc914262 |
memory/660-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2704-29-0x0000000001D30000-0x0000000001DC2000-memory.dmp
memory/1984-35-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1984-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2704-34-0x0000000001D30000-0x0000000001DC2000-memory.dmp
memory/2704-27-0x0000000001D30000-0x0000000001DC2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 6462ee0f7a0fc96b728c1ad537f2faa3 |
| SHA1 | 961e9026b6b729d5e231cecc5dbd3bf0653dd28f |
| SHA256 | e7d61da0ca85f3c7d05f482ac7ad1b6da568790d7f87cc18301b974cf3bc4f72 |
| SHA512 | a81c6fc50fc8f8b34d61a799743727d5bcdb97543db8936b0c6837c0f9c6e23f61e1f05cbaff09fb039b4575e013d1728a8256c7bbffeba7ef803ef4b398f8a4 |
C:\Users\Admin\AppData\Local\Temp\Cab54E4.tmp
| MD5 | dc38d629e51926a750b443772d7c8c65 |
| SHA1 | 2868765523e76b2e6706f18ecb665f4631a00d00 |
| SHA256 | 21a98ea45d4ca76fc03cd769b01345da379395b41295e1506644149d0a378883 |
| SHA512 | beb8198332e8771a0475a925a4b31a8a80df9a04dc889442d1a4e024b1b66709acc3e347d50af1868d5d0c351d489cd454fc2523f752ea9dec56b9a9d6048ef4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | de8ab5a0d13b7007771a47c4b70435db |
| SHA1 | 6efb6a986fc2e5d9855a6d3b47e11b705fe73b40 |
| SHA256 | 0a1736a8697114857fc3fa89b58229e2251b97db5a2bf34f76941d10d2f8e43b |
| SHA512 | c1ffe5efcad8e1d477a22720c811953ca2ee877739dbe2ec4021747358707e48bd4180df3fa6ffe09d43f0583ff0ef21941ab49e8feedc8bc871d12315879f53 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | eab19fd0d019757c269c843cb85a3a3b |
| SHA1 | 4c798d97a9e9c482c8d3c4e4c0706296fb35bb80 |
| SHA256 | d7f27496fc56cbc5ddbbd4cc9f7c4d4b47a443890dc9e68ab3961c9d91dda7e6 |
| SHA512 | 2de5077e13cf0a4eb672aa95a0354b199c9ec7e9d5142e63222f3d0e7b956723212dd19432bcae8fc832b6eb4c8aed9f399c4feaa03670e885856ca7f89b1092 |
memory/1984-49-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1984-50-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1984-54-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1984-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1984-57-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1984-58-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
| MD5 | 69b5f96804d63beab43c4690cf109814 |
| SHA1 | be39db1c3c32b8add8783d90e17a54263883425f |
| SHA256 | 88f5a9b9c8916ef65ecf53cd0a9e110261b338334acb09579e16f982be253ee8 |
| SHA512 | 5d72442cef0c778dcddb78751ec1999318930c1d16a88ee963e781572e09d9237339a9fe3fcf67e1fd0fc5638d084ba53e01363af8684eae5bdfcca244164123 |
C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
| MD5 | eeea38588fb7779b64a08d697de74b2d |
| SHA1 | a14a07e264f2699ca081fa236569e8803fcec7ef |
| SHA256 | bffba33f245f868351ba0b86ddbecda64e5b57aefd153918d777fbf910b5b00f |
| SHA512 | 77c123984ceffcedbdc9e6eb99dd3918071ddc0e1d2eff1ebdff0e182230f141ad5f8ca339a63cbe6189c7e623b356b9d9ae4c9bbec9d53becd27bf61eed6b16 |
\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
| MD5 | 8b6a819c6926597dfa7529b692d7a6cc |
| SHA1 | 50c535e9cca464afd3a589d2231d87ce417d4312 |
| SHA256 | b9cb5501cc2d257e049e1757062523c7f9ee5a85d57d46538fe492125befd26c |
| SHA512 | dfd28b270d99ad89f8ce1df9750b92ff558f73fe2448bf182b5c1c05c7b180bb29175eeaf5a7c918791d64b36167fc1a6044f1aaff838e02e878782f5f6c0ba9 |
C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
| MD5 | 22f566a6872db475990f49438cad2f7e |
| SHA1 | a34d58ea8f06a349499ab2fc98618c295b1ee647 |
| SHA256 | 382f7f2614d7dbb9f04869de5299c768fcff9c62f9808c5c14a6a822b2924b74 |
| SHA512 | b27baa18c577bdecdf8cede0ac8d6ce1e00f5b68c8e4d4e96010e2b66437e9eabff04140137468f64a18510e5faf3d7de1a761eab8d8361bfbdc9c711c2aacb8 |
C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
| MD5 | 9da9fcbf2004bd6e092e999264c9dd70 |
| SHA1 | c17d53b3e1955b92a83e610765080b8c0e1f8051 |
| SHA256 | 32bfabee3c5bfa62a18c1775cd9240dd91769278a81d75896a3127ebcb626726 |
| SHA512 | 7a695a9f4dc6e4e2b206c5661fb0dff98f8fff4de076ccb2945d6b234dc272f7ff55ca2ade49d0ca60008bc1a66bdbc044ddeb37abe5e8a981026c2ada5f3504 |
memory/2016-76-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2844-78-0x0000000000220000-0x0000000000224000-memory.dmp
memory/2016-83-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2016-81-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Local\9513b4d3-5698-45a8-b68a-f952a34d29ef\build3.exe
| MD5 | c14d3c1daefc7e9e61f4f3ecb196a072 |
| SHA1 | bee055bea9fef82d9cad9048a33cc1846fff8fb8 |
| SHA256 | 75ebcfcd9ff6016bfa03591fe7eb04c86e022083f7a95321b69bc10a68719855 |
| SHA512 | bcacb8f84e405362260f3eec93bbccb37dc45f15117f7e2388dbc6a8133d1b50fc89e95f12a88fd450681391a9f2eff8ef1c06e18cb1e1182f764c3a6436fe47 |
memory/2844-77-0x0000000000C30000-0x0000000000D30000-memory.dmp
memory/1984-69-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 4b3fc3105731c7ff3a7e3966416912a2 |
| SHA1 | 0e792bf25e8795158074fa6bd2ee87ad16675124 |
| SHA256 | c0f698bcc4324958848de5d8e1b1bdaed5e01632d8c827a5a95356eb04a2c443 |
| SHA512 | 6ed5ee0139d9d9a676232a6c5d6e9a8528f880025a11fccf8a1a32a999ae5fac41f993c384fabec788e4e47da714d67f1def0348da6b0f4392e7fc7ff1098c28 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ff59ea1d59b4c977ecdf579de18781a |
| SHA1 | 37412c5635ea4180957984d0ac8dc5819463f82d |
| SHA256 | 1cb305547cc2d78483cb2ce3d481620428767cd1c44e409f5cf90aeda9c47f5a |
| SHA512 | b5c52cc8040ba74d577b261f12b6382180db71797aa4a39a6a96b25ada98025be3616381684f839806f62a36b62fced08edb5ff1e7829c5bb2301dd5f56e4b42 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 259d74ac1403a3e2144e23a3050d610b |
| SHA1 | cc632aa69a799b422e0faffdde605ec78d9bb310 |
| SHA256 | 211f13c11f4281bc844099836f0dd38807826c76dac057e3db7ab6fdeeeef51b |
| SHA512 | 698113e9488202c8ea8c4b14be9b3f4ccd281bc11c364bc364222ddcfe412674fecddf5e5200407eb1e051fc3a3cb7bfd12a3ac4c2a59304ad59e5ff73262fa8 |
memory/3004-90-0x0000000000880000-0x0000000000980000-memory.dmp
memory/2844-96-0x0000000000220000-0x0000000000224000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | e9831ecd7df9b3c3c426897bc93cc9d5 |
| SHA1 | 88f3641b08b040734c83589bf2436fee926d1f2e |
| SHA256 | f8cd0322bac1b1e1a04d1b4be1a4e893792090fc864bc3ea51d78e6b98f99ee4 |
| SHA512 | 9fa0d9261fda5a373306ec09b0e6597659437c9fe8dad8f0722b63de45a05e0eba2f85cf2f046778334668ec095456b24c57d48a9db7ef3ac98e298c4b53af02 |
memory/1392-118-0x00000000002F0000-0x00000000003F0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 967e39a49e4faaad6896141a43ad9f52 |
| SHA1 | a6ce3181fc8e5fdcfdced9d0d1d12701565ca2f4 |
| SHA256 | 76c29f45967335894674f3833a039731a2adbe4fee70308d41fd5388a474bd66 |
| SHA512 | 1c72662c4a67654189c833adb289b5bf9e1ec565e2caf596427dcc819ee9aed40a542fb25ec0a27688f7a6799359d1259897e805d8b92d66caa0ba35737d184c |
memory/1568-139-0x0000000000952000-0x0000000000962000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | dde36f65adfd1c6a0c3c1957265fd03a |
| SHA1 | 6381758199ddb003739da7dc95145628cebef393 |
| SHA256 | b45104ab4ed7b174859b33240dbb47344faa5789844f72be44397dcb063329e2 |
| SHA512 | 8a4a8880a769dcac006dc83dd0e04b5d6e3273064340f461d57015a460b2dc24061c73e660e120bef049f43173d88a0c9af27e044af67c0f17a7504b1c546378 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 4f4cc162cfdee11dcae198a4203b9076 |
| SHA1 | 3a225cacb10541f7f7b006565c48dc0abcc1e335 |
| SHA256 | fd4c1b8daa70eb8fc728ca5054af55992048862b67cc2983b6d538eb34d80342 |
| SHA512 | 1f2ccedaad2838f4eacafd08212fadffa81a1f38c022253a1fddee771347557f2c57fc13a714d19f96f64f11bea250c5030a73debb68e60d3983bcf636c7beb4 |
memory/1200-161-0x0000000000312000-0x0000000000322000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 8fba0ecddc1f7635ee45247a0e021f9b |
| SHA1 | 7a430a8fa16ea782f0d8f426b458080a4ffc7bc5 |
| SHA256 | 4b4248693138f01288b2204b9833ad2ddce5649c8b1bbcfa4b3b6699b3633f52 |
| SHA512 | 7ef100331fe10a9e3c677ea548196de292568c6cbb253c9b11b43eeabfc43837dc0ce1673d47c4308c2f3f212b84c2846b92cd0b379cde3352626cd38450da30 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/696-184-0x0000000000870000-0x0000000000970000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:49
Reported
2024-01-15 04:54
Platform
win10-20231215-en
Max time kernel
1s
Max time network
250s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Downloads MZ/PE file
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\fc7c7492-46ca-4ffe-a76a-dee17d408988\\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4460 set thread context of 3752 | N/A | C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe | C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe |
| PID 3460 set thread context of 664 | N/A | C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe | C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
"C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe"
C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
"C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\fc7c7492-46ca-4ffe-a76a-dee17d408988" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
"C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
"C:\Users\Admin\AppData\Local\Temp\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\2af8329d-97db-412c-b7b8-ee8aad40aa0e\build3.exe
"C:\Users\Admin\AppData\Local\2af8329d-97db-412c-b7b8-ee8aad40aa0e\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\2af8329d-97db-412c-b7b8-ee8aad40aa0e\build3.exe
"C:\Users\Admin\AppData\Local\2af8329d-97db-412c-b7b8-ee8aad40aa0e\build3.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| KR | 175.119.10.231:80 | habrafa.com | tcp |
| BA | 185.12.79.25:80 | habrafa.com | tcp |
| BA | 185.12.79.25:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | 231.10.119.175.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.79.12.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/3752-6-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3752-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4460-4-0x00000000023A0000-0x00000000024BB000-memory.dmp
memory/4460-2-0x0000000000660000-0x00000000006F8000-memory.dmp
memory/3752-3-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3752-1-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\fc7c7492-46ca-4ffe-a76a-dee17d408988\259c0c3e8fdad5211cb7a1998f13421e544f93f6ad8238b81f53fca45a141a4c.exe
| MD5 | 895cb14fd41a22e2308a95263ec9ff7b |
| SHA1 | a8f7867c654290071d0d0398bb6b1c83e8ea38c0 |
| SHA256 | 8c3aa8c0f81bd55e0bd9a58cdff549d9a45cc1330119a327159c7255a33739b8 |
| SHA512 | f7402cfa6a5e44ec118d14c43c0850ca6695aec590d05361a9611be905e10e1145be98ff2011ddfa3ccd3ea83e555724cea8f6ce021572e3dbe72f091efe5f77 |
memory/664-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/664-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/664-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3460-20-0x0000000002000000-0x00000000020A2000-memory.dmp
memory/3752-17-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 3c3a63faadf555ee93bf2e83b6ebe1fe |
| SHA1 | 3498135e68f00fc3c97c65003771c73b1fc475e1 |
| SHA256 | 3e20395d60b0a6ad75ef8a1156838ef1abca10c292347a617de72b1226065f35 |
| SHA512 | 25b0e8736e644c87e52f12c6ceaf9bb5911af909236ea65091a13312edd20b7dc036b58d775ddee575ae4a74473709d0f3b77cdad9c10fe3ed2794aa7762fb13 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
memory/664-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/664-30-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 9cc1977b23fb385caa5defc738fa074e |
| SHA1 | 9d3ee63d8333d4414afceee9c8e15c4e1411df2e |
| SHA256 | befbd5d5a22aa285c37b6eff8673c6e04219f427ee42169dd38508066baaa1fe |
| SHA512 | f6ddaa523c854fe02d93052aad56b00462d86a5b226a181b7cc94cbbc3b264d817162b7ed12047bf2338cdca6c982ae5d327ca3f77ea021b92613591b1157ec6 |
memory/664-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/664-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/664-34-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\2af8329d-97db-412c-b7b8-ee8aad40aa0e\build3.exe
| MD5 | 341600276b87f80e07f34f1b6c8038bc |
| SHA1 | 67d4c4e81d7e85ea013ba02d8e29ef5ce67d50b8 |
| SHA256 | 653cd9ed62bf0ee54e1a48c33705c9598e9da24a23bd751071c58f905699b76e |
| SHA512 | 46f1e26856a801de8815598c3d2fdc5945e911227824b7996e61d7c049e3ae23c86374d0bba7099ee6623f57712bd565cc13df3bfc21924cdec0be48e9f18083 |
memory/664-44-0x0000000000400000-0x0000000000537000-memory.dmp
memory/664-46-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1276-50-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1276-55-0x0000000000400000-0x0000000000406000-memory.dmp
memory/928-54-0x0000000000A30000-0x0000000000A34000-memory.dmp
memory/1276-57-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1276-58-0x0000000000410000-0x00000000004D5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 5b6805ce19a9d692775fdcf07621fb90 |
| SHA1 | fa41add6cf3aca32261d05bed20f4d1c4c4e7753 |
| SHA256 | c10230df14526df0bd2c32e83770bc344a69b6806c39657d365b35dc69ffc203 |
| SHA512 | c976b03cdd951da99e831ada7023a8918f36d0435c2009d9309374ec8d2181239f12bf339c5d07b3cd00ae4fadf3846bbf441c8619beb46c5785c8b3f16671bd |
memory/928-53-0x0000000000B20000-0x0000000000C20000-memory.dmp
C:\Users\Admin\AppData\Local\2af8329d-97db-412c-b7b8-ee8aad40aa0e\build3.exe
| MD5 | e8c37ac0c4dd6c1450b8c08d873773fd |
| SHA1 | 49682bcd7d080ea60c34b932c32d8658f7bc7f92 |
| SHA256 | dc91b0d0c8fa8e706a86e4f527db028cbc57add4a18a9dc37e181d6bed9ee0f9 |
| SHA512 | 2050a2d55bbd73aa97b6db510bf7646093249bff375284238f8c123a52abb25aa870c17fde69c962ceca4251d3e9bf364077143da385456d1dfcf88cbe75fa18 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 59892a39ba2b2717aef3c019564097b1 |
| SHA1 | 342361c03743020a822d72d5509b6bb270765789 |
| SHA256 | 925b8880fa83170f3838abbb18c9a6106de9c17801e215cfe963fe0dbff362fa |
| SHA512 | 23e23f539fa933ebd2d9aa08666af298f19da820c10039c56a2c25f62aa958ad7c56d00421d1bb9e39847ec4d331f7584b9d6a7a79112a5bf0f84cac126b9378 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 67e826443af0cdc24b8af2c6bc534399 |
| SHA1 | 0109f1a4fd0cf4e1a5c3527330043474e57958a0 |
| SHA256 | e8aa30d33d12822ca96df7ba8ca952dea53d6cfaf1d47035e57b3a5cb790573f |
| SHA512 | 138b878dba5ba66b8091ba277585c4a426f0ce553ddcc0f1c8baa79c513d729d3714d51cfe243d9bc468ba669a1299458a887dd7c8dbe236c138af202404d640 |
memory/928-64-0x0000000000A30000-0x0000000000A34000-memory.dmp
memory/5088-70-0x00000000009F0000-0x0000000000AF0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | b05cd04bc58650a405cb7c7d8d6fa373 |
| SHA1 | 4d02eb24b7ee9ba78a8f40fad17528a280c3f0e5 |
| SHA256 | e0c09078814869d10d681165dad8ec40757fdcaefd16a86a500171db1ef1de55 |
| SHA512 | 8f26cbf34f95084f94ae07976ad05cc85fd26e5d61084adbafdd950d04316f09781ea3fbe5db06e11acc3f00f78db964b2cbcf7f4bbce3d104e6e6fd16856186 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | a11428adbd11e433a8f87cc5095c090f |
| SHA1 | df903c7aebb264282ecf0071b28f11ec2901a59b |
| SHA256 | 0410d150f7d6670d35dce7f9522d6fa8f49ca0adb6a04e730842e9791b2d73ee |
| SHA512 | 3cb47f45fc7f9e7e7219081f2da4793ebf2101995f4538877d9c2dbeb827256d8d29e5873c497ebad3e0d824dc5fb3d86ab3cb08d335b3ee57fe5f275f8b87c4 |
memory/3860-91-0x0000000000970000-0x0000000000A70000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | f90b73a4871f8f947904cf1d64d6f843 |
| SHA1 | fb842fa3ef0423d5c11304f162ed8810143169c7 |
| SHA256 | 26a2d08de06f31db8058b4599d182f3965572a44bf17e8a7409a711135dadcef |
| SHA512 | 0624012e75210b1148732f00f75c306d35f3d814c1e34ebc34035f1564e98ad5c04b3c06259fe9ab3f4d05692bbdea667c4e7b9b3c8805216a180e70f70dc6a7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | d3c0700242c3bc72c9b415fdb361b6d3 |
| SHA1 | 47c0df71abd59089bdd208ed2b4a1089cfb2559e |
| SHA256 | 62b924149af8b528b16c28c6d9f26fb5fd657b57815a7210d143a49561273584 |
| SHA512 | 87ed9f82e91a38f72b32a1e0d8c7c0349613f115096812ced2dcf2aa2b716e9f386b4913b1cbc843dcc76c71e505380f734830f58c2c83039a1011316b3d1183 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | a9f1932ca79889a71338ade9e343889b |
| SHA1 | d72870980c6f7ebed5a1cd32fc9227fe13fcc8b6 |
| SHA256 | 977b1d6d3c599c7e22f1714b78b0268c97204783b06357d47737e33ec1f93469 |
| SHA512 | e425d60b4bd32684ec962de8436d49d01d7c9bca2cd05559b5d0110c2f7debea35ef74af9f3b76b4e50a509feed53fc8c49b08f2b647ed5c8f78914baf877b1d |
memory/932-113-0x0000000000A00000-0x0000000000B00000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | d35c806c95b926208b06f305860de044 |
| SHA1 | fd111b2072749c0e2b3f1bb7102e4fbcdd8b931b |
| SHA256 | 722325dfc7e0a3d8b9c5bcf978e54f9a90a83ffa5d14372a51dc7c3609fee061 |
| SHA512 | cb5f66f83bd6a8ddad6d740479d17352d3a8249ab6fec7ea0ee071dcc7f9855ed378dee61bb65e92d272e3fb8187282ce08d0694550cfa610bf6e6508ec5b6a6 |
memory/3420-134-0x0000000000B1E000-0x0000000000B2E000-memory.dmp
memory/1064-136-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | b3087de634ee92a4bcea1f514761f285 |
| SHA1 | e0b309fd3c6031c23353de3377956c1701fb84c8 |
| SHA256 | 663bd047fd9fc486b61d488102b158d9773a718d56181a163173cb246547127f |
| SHA512 | 02f17c22d320d90e3e59871b9e708e53d897381119c482cf44f5fcb858e70a3162c314b677fee8ed493fe21d5af6369847fbc0c9aec54c4a10a6739ed4b151a6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | ba36023bd75f597a13ac91b1bc9acab1 |
| SHA1 | 9cca1681bcafff14cb8c016e76d5e06112f3035c |
| SHA256 | a1fb686ed2519dc1a022858f188866ccce15bb17a3b8d8861bab558404d92f8b |
| SHA512 | 20d94aaf2f687e6db080267567486983daf34acc2c5e533358ff997a3ce9b64206520b400b662948289e9d6a5a60301da62f53074d62ba899c16255206c5de63 |
memory/1992-156-0x0000000000B0E000-0x0000000000B1E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9b68e88a96e9bd56293f4c8b39314178 |
| SHA1 | a510f7c3d8783d7b8c1335d648cabe70db306840 |
| SHA256 | 73e41876c3fdb962cd993c53d72b055fd7554669bfa8a9ed0de2621cf92f6052 |
| SHA512 | 181322e7bb160f4a6945b5cbc820e39f1ae29e84b9b60bd64e942d9f281f4599e709716bf80ec54b6c39f7f4e3d6d28ec321970ba28617af8027189951eab513 |