Malware Analysis Report

2025-08-10 18:25

Sample ID 240115-mxawjsfdd4
Target 5ce52f628bfa89f48f929961d04fa6c8
SHA256 7912d5bd90e1c9427ef14e571589aab9017c823c16849976b6d2fc483fe34d10
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7912d5bd90e1c9427ef14e571589aab9017c823c16849976b6d2fc483fe34d10

Threat Level: Known bad

The file 5ce52f628bfa89f48f929961d04fa6c8 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 10:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 10:50

Reported

2024-01-15 10:52

Platform

win7-20231215-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c5894b6b-31bc-4ec5-8c2a-cbbe9285969e\\5ce52f628bfa89f48f929961d04fa6c8.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 1200 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 1200 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 1200 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 1200 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 1200 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 1200 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 1200 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 1200 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 1200 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 1200 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 2676 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Windows\SysWOW64\icacls.exe
PID 2676 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Windows\SysWOW64\icacls.exe
PID 2676 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Windows\SysWOW64\icacls.exe
PID 2676 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Windows\SysWOW64\icacls.exe
PID 2676 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 2676 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 2676 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 2676 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 2880 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 2880 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 2880 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 2880 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 2880 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 2880 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 2880 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 2880 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 2880 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 2880 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 2880 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe

"C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe"

C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe

"C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c5894b6b-31bc-4ec5-8c2a-cbbe9285969e" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe

"C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe

"C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.2:443 api.2ip.ua tcp
US 188.114.96.2:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp

Files

memory/1200-0-0x00000000002D0000-0x0000000000362000-memory.dmp

memory/1200-1-0x00000000002D0000-0x0000000000362000-memory.dmp

memory/2676-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1200-2-0x00000000045B0000-0x00000000046CB000-memory.dmp

memory/2676-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1200-7-0x00000000002D0000-0x0000000000362000-memory.dmp

memory/2676-8-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2676-9-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\c5894b6b-31bc-4ec5-8c2a-cbbe9285969e\5ce52f628bfa89f48f929961d04fa6c8.exe

MD5 5ce52f628bfa89f48f929961d04fa6c8
SHA1 aa9c7a0e0721b6cc8a44ef28bd3b23328d8bcb7a
SHA256 7912d5bd90e1c9427ef14e571589aab9017c823c16849976b6d2fc483fe34d10
SHA512 a89eef90f56c652b7821d52b1695cf965cd56bf342f6747ac8bcc75a034f8a137e3ce6c37ed0a0e8ef76a7f26a8dfbab94ada5329836bd8c80a0a57873ab812c

memory/2880-28-0x0000000000250000-0x00000000002E2000-memory.dmp

memory/2676-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2880-31-0x0000000000250000-0x00000000002E2000-memory.dmp

memory/2660-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2660-36-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d1622115f5a796a6c720b52a989f76e9
SHA1 810749d76c93ce8d53387c9efba28d888f952478
SHA256 0db8d6bdd592d4b1fce3fe454e1bf33596408dcf31b0a3d201add22b5ef2b96e
SHA512 8e5fe2b776d1b161c6cfffdda6cd5bf305be93698c2ea8b7e1b24b3008630f80b80053c41acab516974eca49f7f93e4116fb8c75d745f891bfb41197de28bf18

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 a4c3205e8f9686544632a3d681b0b437
SHA1 5b4172c19644e4d3f444e48cd8617ab9521df102
SHA256 a13d4bde73db23d7dee8363683fb01a64dab9eeaa348c4f7159dbc2314d33d03
SHA512 1ebd6646830a591d256c3cb85d7600608f6c6639fd201b1ea828b85b0f1397024f269eaa037eb1e121949291cc410b30fe35aebd4dd83f0b1001f2cac732cb27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b499f67a343129c67c624d17da57982
SHA1 73db3745065aeda8fb3c5fbfb9491cfb3b206742
SHA256 34f126524ed7efe601693084bbd66c60bae18e114c70272ce918820ac2f909ed
SHA512 3a05ba9d8e74753c8419aaff0e9d4c942e3d85c172ceb0864992d1da54ddf464ea6016a2a23cef86e53e22c3ffe589998aeb43755b8494c8d0e6da12bba21ea8

C:\Users\Admin\AppData\Local\Temp\Cab88B0.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2660-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2660-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2660-51-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2660-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2660-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2660-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2660-59-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 10:50

Reported

2024-01-15 10:52

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\24687512-fddb-4022-8c85-a5cd2313b300\\5ce52f628bfa89f48f929961d04fa6c8.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3688 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 3688 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 3688 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 3688 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 3688 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 3688 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 3688 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 3688 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 3688 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 3688 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 4476 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Windows\SysWOW64\icacls.exe
PID 4476 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Windows\SysWOW64\icacls.exe
PID 4476 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Windows\SysWOW64\icacls.exe
PID 4476 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 4476 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 4476 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 3996 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 3996 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 3996 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 3996 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 3996 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 3996 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 3996 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 3996 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 3996 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe
PID 3996 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe

"C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe"

C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe

"C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\24687512-fddb-4022-8c85-a5cd2313b300" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe

"C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe

"C:\Users\Admin\AppData\Local\Temp\5ce52f628bfa89f48f929961d04fa6c8.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.2:443 api.2ip.ua tcp
US 8.8.8.8:53 9.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 188.114.96.2:443 api.2ip.ua tcp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 210.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 96.17.178.174:80 tcp

Files

memory/3688-1-0x0000000004A30000-0x0000000004AD1000-memory.dmp

memory/3688-2-0x0000000004BC0000-0x0000000004CDB000-memory.dmp

memory/4476-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4476-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4476-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4476-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\24687512-fddb-4022-8c85-a5cd2313b300\5ce52f628bfa89f48f929961d04fa6c8.exe

MD5 f6c60afc3994059536b8d00445177983
SHA1 5aaf7c2f63de2deebc23ca4282aaa25d608d3141
SHA256 c6b321ebc936c13314c9a4b312fb58dd35797338bb7ef0d7b7b15ab682180ed2
SHA512 345ffa7a918dd52038f0879e14b569cd002b3d230905c1a2748831a6808c27a2af8747a67ead82d7b8d02085397e3dbeed2bf0d2337f4bd87f3935f3f9c1cbab

memory/4476-16-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1696-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1696-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1696-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3996-18-0x0000000004910000-0x00000000049A6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 05c9ce29ef34ddc3e63f5dc67120e130
SHA1 edee1fc2c7a033a03dd810f3f9d8a62c2411014b
SHA256 a23c5ba3aebd5f486f70d202f54e2506d508e492f177e2fe496f794ed1fa8e4d
SHA512 654e76e2889f25c469f8ae1fb38d07a2fd0025072e1a8132a735bca4ba9d02fdef03e46df92132d767657225eba4467ecb74342eb188a45df138896fe6989377

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3d8124d4f9906bd9e4252aab6fd5790f
SHA1 334803f23b77c8b741c221c48e9188ca358ff14c
SHA256 5afdc156f0549741d00d8ef4200851081e682336a1058e06a9deb627f669fb78
SHA512 9c3f1903b1b815abf5ac7b3d8d5c984c6c6cdc4e3fce43b0c6d4ff8a725a553a0977d9a516ed743f3f222ceaaf67dbca8ecfeb700980e37b15da88ad0bc6b04b

memory/1696-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1696-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1696-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1696-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1696-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1696-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1696-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1696-37-0x0000000000400000-0x0000000000537000-memory.dmp