Malware Analysis Report

2025-08-05 13:12

Sample ID 240128-1cxfpsaee3
Target 7e0daefa772c4e91427b7e227464a94a
SHA256 0905ce384f22775cbf39039e92c7c35ade14ce150be8eb76ad6d5be3a09fb908
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0905ce384f22775cbf39039e92c7c35ade14ce150be8eb76ad6d5be3a09fb908

Threat Level: Known bad

The file 7e0daefa772c4e91427b7e227464a94a was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-28 21:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-28 21:30

Reported

2024-01-28 21:33

Platform

win7-20231215-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1fe3819f-2d26-46b1-952e-3045545ab74a\\7e0daefa772c4e91427b7e227464a94a.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 3032 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 3032 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 3032 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 3032 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 3032 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 3032 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 3032 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 3032 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 3032 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 3032 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 3052 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Windows\SysWOW64\icacls.exe
PID 3052 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Windows\SysWOW64\icacls.exe
PID 3052 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Windows\SysWOW64\icacls.exe
PID 3052 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Windows\SysWOW64\icacls.exe
PID 3052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 3052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 3052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 3052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2732 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2732 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2732 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2732 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2732 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2732 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2732 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2732 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2732 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2732 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2732 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe

"C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe"

C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe

"C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\1fe3819f-2d26-46b1-952e-3045545ab74a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe

"C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe

"C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp

Files

memory/3032-0-0x0000000000360000-0x00000000003F2000-memory.dmp

memory/3052-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3032-2-0x0000000000360000-0x00000000003F2000-memory.dmp

memory/3032-5-0x0000000001DD0000-0x0000000001EEB000-memory.dmp

memory/3052-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3052-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3052-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\1fe3819f-2d26-46b1-952e-3045545ab74a\7e0daefa772c4e91427b7e227464a94a.exe

MD5 7e0daefa772c4e91427b7e227464a94a
SHA1 47b45eae10de91705fb957be36415a0a3575ae3d
SHA256 0905ce384f22775cbf39039e92c7c35ade14ce150be8eb76ad6d5be3a09fb908
SHA512 cd60fc07593d242fe9b2e6ae74c340d36c905b8692f11df78ba15b92b52eaf0e4912777e179ed1d2a840c00fbc060ea86c8e82c506c00dd64efff84b5f0a9650

memory/2732-27-0x0000000000310000-0x00000000003A2000-memory.dmp

memory/3052-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2732-29-0x0000000000310000-0x00000000003A2000-memory.dmp

memory/2600-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2600-35-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 a1f4c5cccee37e883c90289c613564f0
SHA1 9ba586f3a9e1faf7b601b40dcd65382fb1bdaf03
SHA256 e4b8dbe4f87a58da1afe996040974d56d1a4c9e9065452203ae1c01c57a30e06
SHA512 bc4c9d5eb3a48c0fe96a36aabe7a1cfb1de102b720b13cee7af62857621f8e8ce83a74f01dd8723748f068444d22966eca115193962b9393211b82d4b0aa011b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7e620bb51c6346619ece5d41f4ac9ccf
SHA1 55f8435cc4f740be20cc8f3e1f3709b3e37bff89
SHA256 972331bf876251e477d6232910b63cc2901ea9a039f03161b07bd4851d1452ab
SHA512 4b9a134d298f454348c3bdd274fa872df5d9e8fd107dce8792430837ab934c611eef26a2e0ec8bbc88bfc94a5b0c0e6add257ff1abcecf8fe6b3dddd1bb14874

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7762afe53f20e206883c8d6ac743c3ad
SHA1 1e805aeb46f0dd74b61f3138d23494b0cf4d1dd6
SHA256 05b74a5eb62ece4fd2e020d3aaabe22f687b3e5a058475ac0e15a44280654c12
SHA512 b861caaa232aad0844db5f996233f2edd498dce1d3e95357fbd9343d9fa6d8cf1464ff08bff87421df1e8c2c93051b8837d473734926cefd26234871ac94b67a

C:\Users\Admin\AppData\Local\Temp\CabAFCF.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae39933ee01903e13fbd0614076acbe0
SHA1 ad8c8bb44c4602437e762f360f2a78fab7a98182
SHA256 ffb12f2b30dc3435e48b299bd0d93943542580509aea5933ee0bce631f680925
SHA512 e5998b297820346723fc1340eccd30de0c9f2258935f6957e2863f936ebc49a0fb84c8e88f05308b65635ebaeb42614535f575bfd8f4399ebf16d2bf75d02172

memory/2600-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2600-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2600-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3032-52-0x0000000001DD0000-0x0000000001EEB000-memory.dmp

memory/2600-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2600-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2600-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2600-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2600-59-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-28 21:30

Reported

2024-01-28 21:33

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\56a91300-2e67-458d-ba1a-4b11e616813f\\7e0daefa772c4e91427b7e227464a94a.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2348 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2348 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2348 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2348 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2348 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2348 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2348 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2348 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2348 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2500 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Windows\SysWOW64\icacls.exe
PID 2500 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Windows\SysWOW64\icacls.exe
PID 2500 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Windows\SysWOW64\icacls.exe
PID 2500 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2500 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 2500 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 4008 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 4008 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 4008 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 4008 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 4008 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 4008 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 4008 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 4008 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 4008 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe
PID 4008 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe

"C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe"

C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe

"C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\56a91300-2e67-458d-ba1a-4b11e616813f" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe

"C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe

"C:\Users\Admin\AppData\Local\Temp\7e0daefa772c4e91427b7e227464a94a.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/2348-1-0x0000000000690000-0x0000000000730000-memory.dmp

memory/2348-2-0x00000000022B0000-0x00000000023CB000-memory.dmp

memory/2500-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2500-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2500-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2500-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\56a91300-2e67-458d-ba1a-4b11e616813f\7e0daefa772c4e91427b7e227464a94a.exe

MD5 7e0daefa772c4e91427b7e227464a94a
SHA1 47b45eae10de91705fb957be36415a0a3575ae3d
SHA256 0905ce384f22775cbf39039e92c7c35ade14ce150be8eb76ad6d5be3a09fb908
SHA512 cd60fc07593d242fe9b2e6ae74c340d36c905b8692f11df78ba15b92b52eaf0e4912777e179ed1d2a840c00fbc060ea86c8e82c506c00dd64efff84b5f0a9650

memory/2500-15-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4008-18-0x0000000002130000-0x00000000021D0000-memory.dmp

memory/4364-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4364-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4364-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7e620bb51c6346619ece5d41f4ac9ccf
SHA1 55f8435cc4f740be20cc8f3e1f3709b3e37bff89
SHA256 972331bf876251e477d6232910b63cc2901ea9a039f03161b07bd4851d1452ab
SHA512 4b9a134d298f454348c3bdd274fa872df5d9e8fd107dce8792430837ab934c611eef26a2e0ec8bbc88bfc94a5b0c0e6add257ff1abcecf8fe6b3dddd1bb14874

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 c642ff867b62d9b88eca2ef043df3d74
SHA1 640cfee218cc457492d1bbe3974093d5cf2dc287
SHA256 63cbd31fb5bddf2dbaf49a5659f36f98bde8e410d6c3aaee5ca059cd2bd44f66
SHA512 9896aa1fde30c2b14862551ec013ab188d1496fbf332a2afecf81a1cce3ce37092bcfb1b7a7528e12c5ae4c4b1c1bf7af5fa0fc43aa78733b87f5e549e7164c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 335d879333160cef5e00aff29c9e4502
SHA1 7fd8518e51506d6bbf3910a78b890fd7e300542c
SHA256 cc15bc48459238bdf9c0c0bd61fe7072e110bf758aa75025630e11531ab5082b
SHA512 9437b8045ce462131f74ade7081de1bf7eb0513b1b85f08c1fa5e3f477fc5687d0bfae4cfc984ed0bbc19dc90c26720baa5c54953038e4f004d8ce341d05bf14

memory/4364-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4364-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4364-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4364-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4364-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4364-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4364-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4364-37-0x0000000000400000-0x0000000000537000-memory.dmp