Malware Analysis Report

2025-08-06 04:33

Sample ID 240125-xbhpdadghl
Target 753a72923bbbcde52682c31fcc134124
SHA256 25a605a5eb395c355f464bdec7a391985069ce226ce75675e0df281ccb98c7d5
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25a605a5eb395c355f464bdec7a391985069ce226ce75675e0df281ccb98c7d5

Threat Level: Known bad

The file 753a72923bbbcde52682c31fcc134124 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Modifies file permissions

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 18:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 18:40

Reported

2024-01-25 18:43

Platform

win7-20231215-en

Max time kernel

146s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c836a456-77bf-4228-be4d-8ab3517ba2c4\\753a72923bbbcde52682c31fcc134124.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1308 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1308 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1308 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1308 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1308 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1308 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1308 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1308 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1308 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1308 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1308 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 2848 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Windows\SysWOW64\icacls.exe
PID 2848 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Windows\SysWOW64\icacls.exe
PID 2848 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Windows\SysWOW64\icacls.exe
PID 2848 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Windows\SysWOW64\icacls.exe
PID 2848 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 2848 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 2848 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 2848 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 2780 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 2780 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 2780 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 2780 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 2780 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 2780 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 2780 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 2780 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 2780 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 2780 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 2780 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe

Processes

C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe

"C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe"

C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe

"C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c836a456-77bf-4228-be4d-8ab3517ba2c4" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe

"C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe

"C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.2:443 api.2ip.ua tcp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp

Files

memory/1308-0-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/1308-2-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/2848-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1308-4-0x0000000002180000-0x000000000229B000-memory.dmp

memory/2848-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2848-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\c836a456-77bf-4228-be4d-8ab3517ba2c4\753a72923bbbcde52682c31fcc134124.exe

MD5 753a72923bbbcde52682c31fcc134124
SHA1 7a7a4ef36dc84994c250b32d03d8398c5116e091
SHA256 25a605a5eb395c355f464bdec7a391985069ce226ce75675e0df281ccb98c7d5
SHA512 303ae0cc51e7d41321c0f44ebcd0f5d8284cd16e79f3529102628cb99e637cea6a0aa4d2bf17bc8491ef2d62ceb8cd87ae3b2b87a8e6e6fc3bd64e564160075d

memory/2780-28-0x00000000020C0000-0x0000000002151000-memory.dmp

memory/2848-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-29-0x00000000020C0000-0x0000000002151000-memory.dmp

memory/2092-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2092-35-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 678800a3e57bf8e58c6c0029c6eb59a4
SHA1 915c2153065cb020bca51bc728d2adb669edfd4f
SHA256 fb408821fe73f1922f999ed728af154b47259b5e2fdd8242ac12db54d23294f0
SHA512 19da85e00c19a27b88e9ba62af645d0c50a81ab542edbf11c74863ebdd39c9b75bb983967d3a412aa32df4b82206041260b5a867bfe77e498bd480d8d56ebea1

C:\Users\Admin\AppData\Local\Temp\Cab780D.tmp

MD5 d71dff97ca86ca16c3db8bdb5285fb35
SHA1 271c01246897497d069b81ed37af296cf6c1e498
SHA256 4a19255504acfbd49c4e1aed722c7e62b50b5742b860eedabc5f46160f8aefac
SHA512 1fed2a183296b563e35d803927e539d28169895f6ca5b522a1c714f222a2d3e578b1e167b19568b5ad4800b898f7ac041c7bd8f6bb02d1361b32cbdcfb0f682a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 904382f280cc9726bb2de9689bc102dc
SHA1 50f334269a02ac100a0f5bdc4026cbdece181208
SHA256 04414f5dd6ae8130ece8b6ef8db7c61fb1a9adace42965c922dc2eb479646c8d
SHA512 9bbd076b4792a2738504913e4d1f0a1915b975474e0e9726380222792618932c1bfdd494f09791a2569a2e493d748ff080292da175debe64b1eb67942f36f9c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 73a64388fdce3ed14d962171d115ecfc
SHA1 f6492dc95aac06984082b99862e26a23f2cea006
SHA256 4a601877f3aef0a40468c3ce5a84cac1f4f0afdf32c89d5530420bcc283c705a
SHA512 27d18ee1d139e04b43c92db20c6fef5d7a9fe7b602432472d7313e3367df48a987c1fddec9cd46eee30ce097968e83cf280fd0d4b5f3ab2f7736004bdd2a342e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d00cc6d25614c515b6e2d64d90033d15
SHA1 449ca823652db2a579cbd6b06284ff061147f6ba
SHA256 ab0d18e7b28375f2cc703c9b7c899fb9ea9429783709f358a47e42fe850ed53d
SHA512 80e6454003cd85122a068c3353defe50ddb97ece70204ebd7c7172093df1ac506e4f023e4b991b4673407ed619d4932439675ba6893d0436ecc927d54f3c9f96

memory/2092-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2092-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2092-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2092-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2092-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2092-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2092-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2092-58-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 18:40

Reported

2024-01-25 18:43

Platform

win10v2004-20231222-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3eeb72eb-4ef6-401d-be37-2fa23c11e5f3\\753a72923bbbcde52682c31fcc134124.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1692 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1692 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1692 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1692 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1692 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1692 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1692 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1692 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1692 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1456 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Windows\SysWOW64\icacls.exe
PID 1456 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Windows\SysWOW64\icacls.exe
PID 1456 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Windows\SysWOW64\icacls.exe
PID 1456 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1456 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 1456 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 4396 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 4396 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 4396 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 4396 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 4396 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 4396 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 4396 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 4396 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 4396 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
PID 4396 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe

Processes

C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe

"C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe"

C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe

"C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\3eeb72eb-4ef6-401d-be37-2fa23c11e5f3" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe

"C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe

"C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp

Files

memory/1692-1-0x00000000026A0000-0x000000000273A000-memory.dmp

memory/1692-2-0x0000000002870000-0x000000000298B000-memory.dmp

memory/1456-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1456-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1456-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1456-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\3eeb72eb-4ef6-401d-be37-2fa23c11e5f3\753a72923bbbcde52682c31fcc134124.exe

MD5 753a72923bbbcde52682c31fcc134124
SHA1 7a7a4ef36dc84994c250b32d03d8398c5116e091
SHA256 25a605a5eb395c355f464bdec7a391985069ce226ce75675e0df281ccb98c7d5
SHA512 303ae0cc51e7d41321c0f44ebcd0f5d8284cd16e79f3529102628cb99e637cea6a0aa4d2bf17bc8491ef2d62ceb8cd87ae3b2b87a8e6e6fc3bd64e564160075d

memory/1456-16-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4396-18-0x0000000000AE0000-0x0000000000B79000-memory.dmp

memory/3084-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3084-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3084-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d00cc6d25614c515b6e2d64d90033d15
SHA1 449ca823652db2a579cbd6b06284ff061147f6ba
SHA256 ab0d18e7b28375f2cc703c9b7c899fb9ea9429783709f358a47e42fe850ed53d
SHA512 80e6454003cd85122a068c3353defe50ddb97ece70204ebd7c7172093df1ac506e4f023e4b991b4673407ed619d4932439675ba6893d0436ecc927d54f3c9f96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 b1c5fc3fe0be24b5046d8d4af405c374
SHA1 91a1429dd737fb54ce556a9f52cb6a8734c3927a
SHA256 c9976375152f4323a40e336778955481389a5c309f3e88e04318adbc34630b23
SHA512 18835220d917f8773db7ea3063beb09d073d53bcc45319120acc57f79aeb3dd30089b4e929ed4c7c1d8138dd2f61597c6d161e9de8952a22480372cb81d92017

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b4858a4e5a63d4cc158301a046ae6ac4
SHA1 67f0702174f735ba1f1824b2fdb1ef90ed206214
SHA256 b8c5a9874077bebfc06782732fe60e97361927f8af5dfe382ec5cadb317e56dc
SHA512 4aea7e631e6a9e472c16aa51d5a820643c8405c9da63b99a9f0bc0f7399783a3ab24bab6f2320c0c11cbd849bf02ba9ecb5f6c78f596fd37459e6947c7f1dadf

memory/3084-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3084-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3084-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3084-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3084-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3084-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3084-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3084-37-0x0000000000400000-0x0000000000537000-memory.dmp