Malware Analysis Report

2025-08-05 13:12

Sample ID 240128-ezf7cacgfp
Target 7c2428bc20c16c8fd744c1216032336e
SHA256 2a8a855ea51edbb8079331fafdb95680727e210756efaa00f2dec1fa60bfe2bb
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a8a855ea51edbb8079331fafdb95680727e210756efaa00f2dec1fa60bfe2bb

Threat Level: Known bad

The file 7c2428bc20c16c8fd744c1216032336e was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-28 04:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-28 04:22

Reported

2024-01-28 04:25

Platform

win7-20231215-en

Max time kernel

142s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b7457ef8-8382-4409-906a-8322cca04a35\\7c2428bc20c16c8fd744c1216032336e.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 1700 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 1700 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 1700 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 1700 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 1700 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 1700 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 1700 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 1700 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 1700 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 1700 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 2224 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Windows\SysWOW64\icacls.exe
PID 2224 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Windows\SysWOW64\icacls.exe
PID 2224 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Windows\SysWOW64\icacls.exe
PID 2224 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Windows\SysWOW64\icacls.exe
PID 2224 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 2224 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 2224 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 2224 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 2904 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 2904 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 2904 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 2904 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 2904 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 2904 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 2904 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 2904 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 2904 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 2904 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 2904 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe

"C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe"

C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe

"C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\b7457ef8-8382-4409-906a-8322cca04a35" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe

"C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe

"C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp

Files

memory/1700-0-0x0000000002D00000-0x0000000002D92000-memory.dmp

memory/1700-1-0x0000000002D00000-0x0000000002D92000-memory.dmp

memory/1700-2-0x0000000004630000-0x000000000474B000-memory.dmp

memory/2224-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2224-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2224-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2224-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\b7457ef8-8382-4409-906a-8322cca04a35\7c2428bc20c16c8fd744c1216032336e.exe

MD5 7c2428bc20c16c8fd744c1216032336e
SHA1 eed631c49a30baf635422abbffe2ef95b06eaec0
SHA256 2a8a855ea51edbb8079331fafdb95680727e210756efaa00f2dec1fa60bfe2bb
SHA512 19f63de6c09e3124a685da026e916225ab0949d766df83b38f5eedc17186f34dd83688066b2adfa8158df7b015eeace3a00eb599cd25bde952ae8e653a03fd88

memory/2904-29-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2224-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2904-31-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2608-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2608-37-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 707d9a15027b3f8639b348621028e493
SHA1 2b935cf02e98d337a37caddf49804552fc93040a
SHA256 76bfbecaa87db84c07e50f24fdcfb9e70c976cb96c6d5ff291b0b59e1a9c9b16
SHA512 88a7c37e44f1aa7d0e9a317daf2d0e76ec52c801761eff494337be05a14a565fca6ec38810f890b3d22a3c1c6f382dfb41b451e05eb2a48fb47f7df8b57c8b68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 d8e9a9e4130b15b18a3063fba8fe8c0e
SHA1 25a3e87a452f9f6e3f88a042c7428e20d1abc468
SHA256 9dcbf787433a6ad8e684de0662466aeae178f87349e94158ae51aa76cdbdb333
SHA512 d2cca10e2b5a2f3ba748d660421c4bd043f0091b068341cd42454ad7a6cde27270338ea6223d4574436f0b304e6c3646cb97fa5c17e2877ebec82ef9f64cfa3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17f6020649f5793ae98f14daf0fab546
SHA1 0b8c25f260b664d77f967ee4c9bb16a8c22c0056
SHA256 34ccb6a63785a376928457201aa24950e23c0462a09a855c0498a45166af9456
SHA512 6e82127fc8a4e56c2c88e60ef51ff4a868cd649e9fcec905b7173db539c59cd8a210d79a7fe4d0dd198e949b0c4532bbbea320f500b2e200fe939c8e82a00b38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b40baee421e93a6145908f67787a291a
SHA1 311874de97781222e06810a295e2f78a67b84f81
SHA256 25d9d82b04a8a02ccdf9e5980ff2749edcae335faf854d05e24a4a42b35bfa17
SHA512 77ceb1d112977f51b89484cbf29c7e299b9e44ba8e8f3daba20cfc71782b2cb1de99c58aaeae4f9741cb13a7389743863927cec42036666e3acf980be2cfd935

C:\Users\Admin\AppData\Local\Temp\Cab8739.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2608-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2608-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2608-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2904-57-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2608-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2608-61-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2608-60-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2608-62-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2608-63-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-28 04:22

Reported

2024-01-28 04:25

Platform

win10v2004-20231222-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f99fcc13-dba6-4604-90db-0f8a2f858df1\\7c2428bc20c16c8fd744c1216032336e.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3460 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 3460 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 3460 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 3460 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 3460 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 3460 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 3460 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 3460 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 3460 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 3460 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 2076 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Windows\SysWOW64\icacls.exe
PID 2076 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Windows\SysWOW64\icacls.exe
PID 2076 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Windows\SysWOW64\icacls.exe
PID 2076 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 2076 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 2076 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 4056 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 4056 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 4056 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 4056 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 4056 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 4056 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 4056 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 4056 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 4056 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe
PID 4056 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe

"C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe"

C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe

"C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f99fcc13-dba6-4604-90db-0f8a2f858df1" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe

"C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe

"C:\Users\Admin\AppData\Local\Temp\7c2428bc20c16c8fd744c1216032336e.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 195.18.217.172.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/3460-1-0x0000000004A50000-0x0000000004AF0000-memory.dmp

memory/3460-2-0x0000000004B50000-0x0000000004C6B000-memory.dmp

memory/2076-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2076-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2076-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2076-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\f99fcc13-dba6-4604-90db-0f8a2f858df1\7c2428bc20c16c8fd744c1216032336e.exe

MD5 7c2428bc20c16c8fd744c1216032336e
SHA1 eed631c49a30baf635422abbffe2ef95b06eaec0
SHA256 2a8a855ea51edbb8079331fafdb95680727e210756efaa00f2dec1fa60bfe2bb
SHA512 19f63de6c09e3124a685da026e916225ab0949d766df83b38f5eedc17186f34dd83688066b2adfa8158df7b015eeace3a00eb599cd25bde952ae8e653a03fd88

memory/2076-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4056-20-0x00000000048F0000-0x000000000498E000-memory.dmp

memory/468-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/468-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/468-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 980f47202d291ccf36f00ff5486ad571
SHA1 06e3e2d87f5c37742ed92e16283f8cda1b7f4bfc
SHA256 c41b8cf7598c867977dbf980b77306f4b69d8ab2958213c2c9c1d84d1fcd2c08
SHA512 390f3826d466e0f3f51e03bd7113877085250182f8bb9e7173213adecd2ef6c31a74e4b0b88769df88529cc8d302b72ff01f64bdd76f2888e02b06a9898650b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b40baee421e93a6145908f67787a291a
SHA1 311874de97781222e06810a295e2f78a67b84f81
SHA256 25d9d82b04a8a02ccdf9e5980ff2749edcae335faf854d05e24a4a42b35bfa17
SHA512 77ceb1d112977f51b89484cbf29c7e299b9e44ba8e8f3daba20cfc71782b2cb1de99c58aaeae4f9741cb13a7389743863927cec42036666e3acf980be2cfd935

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 51e29e936851a4add5c1f45994f2a828
SHA1 518a4cd1094a24e2d7640eefeecfaf1ec5928a3e
SHA256 7f66936444a6f60559d43943f30514e527c70ea7e92a2dbabef2b7d66a2c8eff
SHA512 3350fadcc1c304d2ed1e066a7d2e65b37df4c8724b825f664e3ad12929a772692bf98559adab7d632ad03b8802a7b44922155816bf793a7fdd35b32250129b7f

memory/468-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/468-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/468-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/468-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/468-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/468-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/468-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/468-41-0x0000000000400000-0x0000000000537000-memory.dmp