Malware Analysis Report

2025-08-06 04:33

Sample ID 240125-e92k2agda6
Target 73c1f532fb36af32c4bf0396e36a046c
SHA256 219371ac3b82f569f98a692a680f54aad32a7932e7f94da9d51c6a2738d59c94
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

219371ac3b82f569f98a692a680f54aad32a7932e7f94da9d51c6a2738d59c94

Threat Level: Known bad

The file 73c1f532fb36af32c4bf0396e36a046c was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Modifies file permissions

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 04:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 04:39

Reported

2024-01-25 04:41

Platform

win7-20231215-en

Max time kernel

141s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7c02b0c0-3136-4e77-8233-08a2ca25cc53\\73c1f532fb36af32c4bf0396e36a046c.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2080 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2080 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2080 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2080 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2080 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2080 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2080 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2080 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2080 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2080 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2916 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Windows\SysWOW64\icacls.exe
PID 2916 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Windows\SysWOW64\icacls.exe
PID 2916 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Windows\SysWOW64\icacls.exe
PID 2916 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Windows\SysWOW64\icacls.exe
PID 2916 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2916 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2916 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2916 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2728 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2728 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2728 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2728 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2728 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2728 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2728 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2728 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2728 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2728 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2728 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe

"C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe"

C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe

"C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\7c02b0c0-3136-4e77-8233-08a2ca25cc53" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe

"C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe

"C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp

Files

memory/2080-0-0x0000000000290000-0x0000000000322000-memory.dmp

memory/2080-2-0x0000000000290000-0x0000000000322000-memory.dmp

memory/2080-4-0x0000000002150000-0x000000000226B000-memory.dmp

memory/2916-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2916-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2916-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2916-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\7c02b0c0-3136-4e77-8233-08a2ca25cc53\73c1f532fb36af32c4bf0396e36a046c.exe

MD5 73c1f532fb36af32c4bf0396e36a046c
SHA1 50d79516412f9f40ce0c65fef0bacc99ed16361f
SHA256 219371ac3b82f569f98a692a680f54aad32a7932e7f94da9d51c6a2738d59c94
SHA512 96d97622ae4ab607423fb7c0e9e2ed8a6f39ac4b5933cbde84d91b6a235fc291d8ff0fcf67d4a2dc1d38203432b32a226baf63832ab38c6a9ad02f53be033979

memory/2728-27-0x0000000000320000-0x00000000003B2000-memory.dmp

memory/2916-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2728-29-0x0000000000320000-0x00000000003B2000-memory.dmp

memory/2728-34-0x0000000000320000-0x00000000003B2000-memory.dmp

memory/2736-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2736-36-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a50bfa043cd6730f71233e1f1eb82d07
SHA1 d874c00220588acf9f9d3d12ab32d6da8484b88e
SHA256 571944c30b02f033d864fe2717f18319aaaeeaa8c3fab6918a4c83cb9fa078f9
SHA512 e3f81410aa3ea5c4c99410b8f374c76af86ab0a296332a00d040558813f82504ce5ec831adc01ab0f4fbf09b7efc7bef8f8162b8a74d63366220ba89d48ea3d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 819d2f6d228f94bfebac03edbfa4bc64
SHA1 257acbdf2270c5285962d10460a77f422143cc8d
SHA256 e8b016b694a9c3224b6a405cf52010c03b7bc6c8948ecc8a3d9aaa39a18f6d47
SHA512 b81c03ca94d21cdb106281fa478dccd390e07bd0a03d0077952041f3d1d41a671ac9a3d4c97d41d9c8f74b14214abfcaff696a10d0615b603a7a9b1a67adde67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 05bb2f81e36f97aeba09c18b0489ef0d
SHA1 01ada11b01654267961cc060aa6a909093a1d002
SHA256 1e94b2321533b2a646e1486ee4f70b613582b52fd6d31828479092e39a6e7cfd
SHA512 8c6a57fd1002b29b70e7a41ff0d62e531f24ce611078b4c0db93df6ed0e4087632da9a8b898207281e3f6e0ca3dca5091ae77c5910a54da12e247a81ce2603ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7ec9dbf92b76cc2c32440d0ec9970cb
SHA1 c5920652a5280b96812d8f2d612cbd6101e281ee
SHA256 09cfb151bc405c0210541b64f2a205bb38b99bcb8be1106e6c9013b2c8e685a5
SHA512 e357d4036cf2ae5dad93b24f32c2cd29afbcb824c91642559e1712b18bf00d7dbb3127ca2208d8c412ca1f2aeaa0cb139a4a196f63d5f44637df46f27878efdb

C:\Users\Admin\AppData\Local\Temp\Cab6E3D.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2736-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2736-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2736-51-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2736-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2736-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2736-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2736-59-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 04:39

Reported

2024-01-25 04:41

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7216289e-a0b9-4a19-bc74-ce457b88119a\\73c1f532fb36af32c4bf0396e36a046c.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 384 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 384 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 384 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 384 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 384 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 384 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 384 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 384 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 384 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 384 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 4464 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Windows\SysWOW64\icacls.exe
PID 4464 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Windows\SysWOW64\icacls.exe
PID 4464 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Windows\SysWOW64\icacls.exe
PID 4464 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 4464 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 4464 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2508 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2508 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2508 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2508 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2508 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2508 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2508 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2508 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2508 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe
PID 2508 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe

"C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe"

C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe

"C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\7216289e-a0b9-4a19-bc74-ce457b88119a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe

"C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe

"C:\Users\Admin\AppData\Local\Temp\73c1f532fb36af32c4bf0396e36a046c.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/384-1-0x0000000002780000-0x0000000002814000-memory.dmp

memory/384-2-0x0000000002820000-0x000000000293B000-memory.dmp

memory/4464-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4464-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4464-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4464-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\7216289e-a0b9-4a19-bc74-ce457b88119a\73c1f532fb36af32c4bf0396e36a046c.exe

MD5 73c1f532fb36af32c4bf0396e36a046c
SHA1 50d79516412f9f40ce0c65fef0bacc99ed16361f
SHA256 219371ac3b82f569f98a692a680f54aad32a7932e7f94da9d51c6a2738d59c94
SHA512 96d97622ae4ab607423fb7c0e9e2ed8a6f39ac4b5933cbde84d91b6a235fc291d8ff0fcf67d4a2dc1d38203432b32a226baf63832ab38c6a9ad02f53be033979

memory/4464-16-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2508-18-0x0000000002540000-0x00000000025D5000-memory.dmp

memory/5104-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5104-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5104-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8564bd6cfd3892d143e10503757a7bd4
SHA1 31a33abc47656e7a056e24d4117513332a897292
SHA256 c67261ea5850439b7421d1a50ba59aae4ddc474fedfb24f0535d94c14405ca27
SHA512 c85ea1ef86a36f724b2df071ad3ea025216b000be07269c89f4bf2c31a681fc92d4ad818ab8c1a43d58181ec0d2fadb3b6c0d1ac60ff7b5479a098ad9dbdf20d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 819d2f6d228f94bfebac03edbfa4bc64
SHA1 257acbdf2270c5285962d10460a77f422143cc8d
SHA256 e8b016b694a9c3224b6a405cf52010c03b7bc6c8948ecc8a3d9aaa39a18f6d47
SHA512 b81c03ca94d21cdb106281fa478dccd390e07bd0a03d0077952041f3d1d41a671ac9a3d4c97d41d9c8f74b14214abfcaff696a10d0615b603a7a9b1a67adde67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 c9941d5cf26c534c228d97f0c01de1e9
SHA1 4548882d5a3fcaccd82656bff3234e3899dbf64f
SHA256 de166b42230ec87ed09d1bdd5c4626cb2853050483bbf4a9ed094223e7a451a8
SHA512 d33f57520432ad70381dfe93c129e0429e8af4845164b46aa3e51a58b23dc0b477998e9fb5d8ce6d111f983a63f185fff7573b0b3d878afbc1d35457a77261e1

memory/5104-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5104-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5104-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5104-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5104-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5104-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5104-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5104-37-0x0000000000400000-0x0000000000537000-memory.dmp