Malware Analysis Report

2025-08-05 13:12

Sample ID 240126-mx2z2adcbn
Target 395590
SHA256 56529b359e4c4695a3e290752d61c59ad3327a16574da95ca69a214552241a63
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

56529b359e4c4695a3e290752d61c59ad3327a16574da95ca69a214552241a63

Threat Level: Known bad

The file 395590 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Modifies file permissions

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 10:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 10:51

Reported

2024-01-26 10:54

Platform

win7-20231215-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\395590.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\fa5744ef-f1e6-4b85-a51b-a5124ea13e9b\\395590.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\395590.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1948 set thread context of 2340 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2692 set thread context of 2556 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\395590.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395590.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395590.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395590.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 1948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 1948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 1948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 1948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 1948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 1948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 1948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 1948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 1948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 1948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2340 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Windows\SysWOW64\icacls.exe
PID 2340 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Windows\SysWOW64\icacls.exe
PID 2340 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Windows\SysWOW64\icacls.exe
PID 2340 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Windows\SysWOW64\icacls.exe
PID 2340 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2340 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2340 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2340 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2692 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2692 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2692 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2692 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2692 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2692 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2692 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2692 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2692 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2692 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2692 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe

Processes

C:\Users\Admin\AppData\Local\Temp\395590.exe

"C:\Users\Admin\AppData\Local\Temp\395590.exe"

C:\Users\Admin\AppData\Local\Temp\395590.exe

"C:\Users\Admin\AppData\Local\Temp\395590.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\fa5744ef-f1e6-4b85-a51b-a5124ea13e9b" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\395590.exe

"C:\Users\Admin\AppData\Local\Temp\395590.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\395590.exe

"C:\Users\Admin\AppData\Local\Temp\395590.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 habrafa.com udp
AL 95.107.163.44:80 habrafa.com tcp

Files

memory/1948-0-0x0000000004360000-0x000000000447B000-memory.dmp

memory/2340-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2340-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2340-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2340-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\fa5744ef-f1e6-4b85-a51b-a5124ea13e9b\395590.exe

MD5 7f26953f4b3b212dfc64af7cd428e45e
SHA1 4db48a550b19341dfeeec94d45620033146cd6e7
SHA256 e7669c6094ee134e27ab00decdda06061024f3ab6a01c1c8d9dcd6b6a1cc1d0e
SHA512 e8e98fa59d66de64e876b42a099c8b41b9f145902e009bcc982789135dbca3f45271e303c9281639d255854f4edf3b4452949addcea0e4ce15982fc2f72a5ef1

memory/2556-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2556-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2340-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1F53.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5cd9580919262d54c0b9527dfaacc8a8
SHA1 d22afc7fc2409beef416def6b4272064a34ae03f
SHA256 80cfebff580c055854c7f6bf75050e4ab6d130012e0dc9278bb0d532420066e3
SHA512 1d393e8dcffc219d00caf6e3a6ac349fd93fb2e210dd087bf6d5ec532826753510d123a84f15cc7aba622c03b6b86383e738b35dc9e041963282ae98cb075cdb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 9d70d03b49202728c6006bb3f8e708f4
SHA1 cbce816abb92923e90a1f09dab764974bf978832
SHA256 24141c4938503ed6d8fc131d39be87fc95e4a6e1a24518a712e556f15356a6b6
SHA512 9c22fd47ae27a7fc3673a7f2eae0eabbe3fb30df10cca4967552715763128a0fc9365a377e68f2e855ed5670dfb66392e6ad8ca4cfcf7ab1128eec035904df90

memory/2556-46-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 73ce21ff1fb2989f6350ace9274ae9b5
SHA1 7db6c387eb8351f3e8e361d10224711c3477821e
SHA256 d7005273bab949c42fcc73eac7820c4c5f08df1e9095020cdb0e17fc9e282d50
SHA512 a43767a55a559a8bf51d5dcb9bc378167f63e15f571b6be35903048570d036fed2a3f6a37c91f469ee9808d245cdd875b9dad38556e6bf97258a82c7071aeab3

memory/2556-44-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 8afa83e248131a40ab5488f063a5fba0
SHA1 9f5289cde6ceb742ef8ff9d885ee5e78e482e85b
SHA256 5a9bb8132017e7fefd93921830da9e89f2947386c5534356f4036b5e8ca4aa61
SHA512 b43c20428aec4803d83537978d3b3f86ca225f09a3e84f16c0d1be0d341ad57c8fe221e6017eedb4d866bc7816a6b4618a952815578a43e6c73f1b76d5f87f77

memory/2556-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2556-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2556-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2556-54-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 10:51

Reported

2024-01-26 10:54

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\395590.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\395590.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e2f0fa20-9d24-4108-b21f-e6500974ea3c\\395590.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\395590.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1184 set thread context of 3016 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2904 set thread context of 4900 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\395590.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395590.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395590.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\395590.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1184 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 1184 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 1184 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 1184 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 1184 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 1184 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 1184 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 1184 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 1184 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 1184 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 3016 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Windows\SysWOW64\icacls.exe
PID 3016 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Windows\SysWOW64\icacls.exe
PID 3016 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Windows\SysWOW64\icacls.exe
PID 3016 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 3016 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 3016 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2904 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2904 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2904 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2904 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2904 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2904 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2904 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2904 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2904 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe
PID 2904 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\395590.exe C:\Users\Admin\AppData\Local\Temp\395590.exe

Processes

C:\Users\Admin\AppData\Local\Temp\395590.exe

"C:\Users\Admin\AppData\Local\Temp\395590.exe"

C:\Users\Admin\AppData\Local\Temp\395590.exe

"C:\Users\Admin\AppData\Local\Temp\395590.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\e2f0fa20-9d24-4108-b21f-e6500974ea3c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\395590.exe

"C:\Users\Admin\AppData\Local\Temp\395590.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\395590.exe

"C:\Users\Admin\AppData\Local\Temp\395590.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.2:443 api.2ip.ua tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 188.114.96.2:443 api.2ip.ua tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 habrafa.com udp
KR 211.53.230.67:80 habrafa.com tcp
US 8.8.8.8:53 67.230.53.211.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/1184-0-0x0000000004930000-0x0000000004A4B000-memory.dmp

memory/3016-1-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3016-2-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3016-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3016-4-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\e2f0fa20-9d24-4108-b21f-e6500974ea3c\395590.exe

MD5 87ba288f14fbf826d4cf061d9f8e72ed
SHA1 ec1f877e40b5e8917953e54eb51834a15335aa6e
SHA256 56529b359e4c4695a3e290752d61c59ad3327a16574da95ca69a214552241a63
SHA512 200457f3c9f1120c6c97df354d7e9898e0a3dfecb6fb771985f9e28adaab29841e03e37e1100b759ae7baf89072859082aa3ddc340a8501396426441f8391f95

memory/3016-15-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4900-18-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4900-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4900-20-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 73ce21ff1fb2989f6350ace9274ae9b5
SHA1 7db6c387eb8351f3e8e361d10224711c3477821e
SHA256 d7005273bab949c42fcc73eac7820c4c5f08df1e9095020cdb0e17fc9e282d50
SHA512 a43767a55a559a8bf51d5dcb9bc378167f63e15f571b6be35903048570d036fed2a3f6a37c91f469ee9808d245cdd875b9dad38556e6bf97258a82c7071aeab3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 ebef9ccf096d3614ff1270f8029f5359
SHA1 2b35a06f2a57f9d27e4cfbbb9fe9fdb1fb8eb8a3
SHA256 2c4d862f0abc595d9968f1a4913add1c99c19ac21c148c56f8735442b2ed66c4
SHA512 c120c56e4ea4b161c36339872e78798e8fd71e42bd71f114b95f81ad7d24efdc35bfbaf753df935dd307fa879c09e743c1fdd8b534f1b8e41c988226325b1b57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 d94e2062fcbe13fa11261760dbbcd2f9
SHA1 d264472565eef91e858fc08cece6f36e540e3c83
SHA256 09cb5151b21ba656d11e8434aa28472ee1a50384d414a32db4702943383a9c41
SHA512 31793548d4f3c9c2a6c4d3f0a36a69977a157244a08947d7171e8ba231b1c04d3d3c85fe7d5e54286ee2ccc29a5850852d0738a0711a860eae3bb1a69576b000

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/4900-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4900-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4900-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4900-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4900-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4900-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4900-36-0x0000000000400000-0x0000000000537000-memory.dmp