Malware Analysis Report

2025-08-05 13:12

Sample ID 240127-hpxccsfch2
Target 7990fa877fec785fe61a58c3c7a5ab76
SHA256 27f13dee7cc319ab79efc4a3597e33a513cbd9457ccd570db534a730448b6dfd
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27f13dee7cc319ab79efc4a3597e33a513cbd9457ccd570db534a730448b6dfd

Threat Level: Known bad

The file 7990fa877fec785fe61a58c3c7a5ab76 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Renames multiple (163) files with added filename extension

Modifies file permissions

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-27 06:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-27 06:55

Reported

2024-01-27 06:57

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Renames multiple (163) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d00c35b7-0da9-41dd-bae0-3b1b428959ff\\7990fa877fec785fe61a58c3c7a5ab76.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1328 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1328 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1328 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1328 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1328 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1328 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1328 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1328 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1328 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1328 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2304 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Windows\SysWOW64\icacls.exe
PID 2304 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Windows\SysWOW64\icacls.exe
PID 2304 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Windows\SysWOW64\icacls.exe
PID 2304 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2304 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2304 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2112 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2112 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2112 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2112 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2112 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2112 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2112 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2112 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2112 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2112 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 4760 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 4760 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 4760 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 4760 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 4760 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 4760 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 4760 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 4760 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 4760 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 4760 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe

"C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe"

C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe

"C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe

"C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe

"C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe

C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe --Task

C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe

C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe --Task

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp

Files

memory/1328-1-0x0000000002E90000-0x0000000002F24000-memory.dmp

memory/1328-2-0x0000000004BF0000-0x0000000004D0B000-memory.dmp

memory/2304-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2304-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2304-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2304-3-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe

MD5 94f1879a2aebc92b2c5d126e2c829a37
SHA1 cb251960be49d17028f5799e350fc40149b0278b
SHA256 dce6668e8892c49469334e94a89f8ad5f3ec3e2d6b8fcd1f4b4a078266c0a08c
SHA512 38e9a4a578d4e2274ad08a4c9afa03c974b2dd50da0a257a79e87bb1762e0f69921fe149166dbc5b2b6d53df0f083738546a6755e400237e1f792121b7141131

memory/2304-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2112-22-0x0000000002F10000-0x0000000002FA8000-memory.dmp

memory/3664-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3664-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3664-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 9fdb4e6c3c1cde29d0362b275f5597b4
SHA1 015118fb720342f3f20e1bdd2175f228e32ccbdd
SHA256 ff577ca55f92e6f7b24c3e2f67077e8a0846ced58b760953b93777998fddd260
SHA512 8590d8a45b9a58227ce11bdd8b877edf185ad3eeaa0605cb2069ea4e703f9b4743d14d3b8013d3377157bb9c960def744209cbfef21f84403704217c4caa308f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 117581c8a2ff4fce10d77d2f81dd0cdc
SHA1 a0fbeeef3c720485767906ddf3d699f78bd3a692
SHA256 14924e43f9d37b1bfca5c3d878e9ad833b26ce047840565801eb2aa2257770e2
SHA512 4230d5299fb961cb1d2ea3bd971e3df2cc3bdd10ff4331e672bfb4ab49a68f757df0d433dc0cfc8f07a6b6e0b51166cb571eefa93eb9a41f98197fcce5eec9a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 0e5059582cf6965707bf9e2ab3efb048
SHA1 3af8d3ce806f9995e406715fb23d38871562f789
SHA256 09171da67630cea459e7706434e9bc33701e8c05a2471ad3c415667c4f3c3f73
SHA512 299f051a19b8c3f1943b5c26aa90e9dc353d59e9c78b0da1f087b18219d3ca8b98e091b8f3983878c5ad4286a4fccf2d5d0e150400d7f1690e58508a174f97d1

memory/3664-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3664-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3664-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3664-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3664-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3664-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3664-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3664-41-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\d00c35b7-0da9-41dd-bae0-3b1b428959ff\7990fa877fec785fe61a58c3c7a5ab76.exe

MD5 7990fa877fec785fe61a58c3c7a5ab76
SHA1 deb2f3da015e94c6d4ef3ae14dd2e0df801d4686
SHA256 27f13dee7cc319ab79efc4a3597e33a513cbd9457ccd570db534a730448b6dfd
SHA512 4b92f1c133098cfd7ad8a3610cd6d74416257e3912ceec37d8a3916a7c62861562ff9f143d31833df711f5c8dceff09c69177e1daea2f1d8511c6fe7ba6d95f1

memory/4760-54-0x0000000004890000-0x0000000004927000-memory.dmp

memory/4732-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4732-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4732-59-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4732-62-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-27 06:55

Reported

2024-01-27 06:57

Platform

win7-20231129-en

Max time kernel

149s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\62afaed8-359a-4c11-a509-b748af201d71\\7990fa877fec785fe61a58c3c7a5ab76.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2356 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2356 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2356 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2356 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2356 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2356 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2356 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2356 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2356 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2356 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2180 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Windows\SysWOW64\icacls.exe
PID 2180 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Windows\SysWOW64\icacls.exe
PID 2180 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Windows\SysWOW64\icacls.exe
PID 2180 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Windows\SysWOW64\icacls.exe
PID 2180 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2180 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2180 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2180 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2440 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2440 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2440 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2440 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2440 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2440 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2440 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2440 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2440 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2440 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 2440 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1780 wrote to memory of 1216 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1780 wrote to memory of 1216 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1780 wrote to memory of 1216 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1780 wrote to memory of 1216 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1216 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1216 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1216 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1216 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1216 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1216 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1216 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1216 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1216 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1216 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe
PID 1216 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe

"C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe"

C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe

"C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe

"C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe

"C:\Users\Admin\AppData\Local\Temp\7990fa877fec785fe61a58c3c7a5ab76.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\taskeng.exe

taskeng.exe {3B241CAB-06BE-4AB4-9E50-8002A2895614} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe

C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe --Task

C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe

C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe --Task

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp
US 172.67.139.220:443 api.2ip.ua tcp

Files

memory/2356-0-0x0000000000320000-0x00000000003B2000-memory.dmp

memory/2180-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2356-4-0x0000000002E70000-0x0000000002F8B000-memory.dmp

memory/2180-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2356-1-0x0000000000320000-0x00000000003B2000-memory.dmp

memory/2180-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2180-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe

MD5 7990fa877fec785fe61a58c3c7a5ab76
SHA1 deb2f3da015e94c6d4ef3ae14dd2e0df801d4686
SHA256 27f13dee7cc319ab79efc4a3597e33a513cbd9457ccd570db534a730448b6dfd
SHA512 4b92f1c133098cfd7ad8a3610cd6d74416257e3912ceec37d8a3916a7c62861562ff9f143d31833df711f5c8dceff09c69177e1daea2f1d8511c6fe7ba6d95f1

memory/2440-47-0x0000000002CF0000-0x0000000002D82000-memory.dmp

memory/2180-46-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2440-49-0x0000000002CF0000-0x0000000002D82000-memory.dmp

memory/1180-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1180-55-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e07af89ea78e522a9a6c0c4814ba09a6
SHA1 d31d566272627c95c6ad4e0d4ebed12556ebfdda
SHA256 5c44c936eb6fb2acaee6df251729f7a2e6ddc625aee18590daef9585deb36dc1
SHA512 9fb5a2ed52ceaa517820ae30cc9e11c68b4f609aeb5a25da95df336cc191ef9d6f5a44099b6323eb7c7e3531f73186a0e837e199ca7e222cabd3a13785704699

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 117581c8a2ff4fce10d77d2f81dd0cdc
SHA1 a0fbeeef3c720485767906ddf3d699f78bd3a692
SHA256 14924e43f9d37b1bfca5c3d878e9ad833b26ce047840565801eb2aa2257770e2
SHA512 4230d5299fb961cb1d2ea3bd971e3df2cc3bdd10ff4331e672bfb4ab49a68f757df0d433dc0cfc8f07a6b6e0b51166cb571eefa93eb9a41f98197fcce5eec9a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 443ce6decc95bb44db5b00c5fdaa6f8c
SHA1 8d19bb014d3634d94aa8b85aa15ae8c58fac9c8e
SHA256 238724813c58f7a076295105cd754f8dfc9b34518cdacefcb51e15274949eb1b
SHA512 ab49637a7c6377b62f6685132290fd18affe6716c83c0a399560ae425000d98d827bdaca7f3e196546202e160ebbf0e30c56057d5604b8c220f770aae0c38301

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1fcacf2a3ee02ed1a62b7a5dd441b3d1
SHA1 d3b3eb9b4783a144bad89ee7bf8f2ad5638c4566
SHA256 174518b021d3c4683f119e7ba25d44173ee73c6e3a282525e087f3c1ed6bf41b
SHA512 400fc211d793c4204d4dfe31f3d1efefd6d89b5a390a9d79f238e49adfd7bb0019240d18dd3771b8cef6650f8cdc3046c6689cf927248c40223c3652d36ec098

C:\Users\Admin\AppData\Local\Temp\Tar390B.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 e7daa591cbedcea2f08093f8db37b1cc
SHA1 dc617f0a7ce3fa00edfdd63e354c5cca1657cbd2
SHA256 c6aba303f57de02bf6b4a874dd3850ef1c7a9f9007cb98e8e40cfe86c7e957b7
SHA512 064d8596e79117e6b2fb311dbd372599bd3bbfee065e7ec9aabe129aec1c0030db39ee8e125af83d4bbc6e12bc4e5d4cffc58b2fa5406ae941ed1552e08bfc02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

memory/1180-73-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1180-74-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1180-75-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1180-78-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1180-81-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1180-80-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1180-82-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1180-83-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\62afaed8-359a-4c11-a509-b748af201d71\7990fa877fec785fe61a58c3c7a5ab76.exe

MD5 6f839c04290bbb081b060e59fa4eea67
SHA1 1efa2d709f710a03451463b7fbb97bf0d078055a
SHA256 f220fafd149021b85fda81afcc0c730dc530bfadf7930cc89f3fd222ccc85e6c
SHA512 3c1f6cdd7d7eec19b2ee333d71ae2faab7c564ac2e413b6525e14a694c43b82dfee65155275219f38749880b5ad6d6a78e12419df60dea784f889c7d812c5a93

memory/1216-96-0x0000000002CF0000-0x0000000002D82000-memory.dmp

memory/1216-99-0x0000000002CF0000-0x0000000002D82000-memory.dmp

memory/3060-105-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3060-113-0x0000000000400000-0x0000000000537000-memory.dmp