Malware Analysis Report

2025-03-14 22:51

Sample ID 240406-1h4rzace27
Target ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe
SHA256 ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe

Threat Level: Known bad

The file ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:39

Reported

2024-04-06 21:42

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c9504fc3-db50-43b5-b674-ee846e12f166\\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3476 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 3476 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 3476 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 3476 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 3476 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 3476 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 3476 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 3476 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 3476 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 3476 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 1808 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Windows\SysWOW64\icacls.exe
PID 1808 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Windows\SysWOW64\icacls.exe
PID 1808 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Windows\SysWOW64\icacls.exe
PID 1808 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 1808 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 1808 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4044 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4044 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4044 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4044 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4044 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4044 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4044 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4044 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4044 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4044 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe

"C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe"

C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe

"C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c9504fc3-db50-43b5-b674-ee846e12f166" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe

"C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe

"C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 99.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 sajdfue.com udp
MX 201.103.66.91:80 sdfjhuz.com tcp
MX 187.204.7.175:80 sajdfue.com tcp
MX 187.204.7.175:80 sajdfue.com tcp
US 8.8.8.8:53 175.7.204.187.in-addr.arpa udp
US 8.8.8.8:53 91.66.103.201.in-addr.arpa udp
MX 187.204.7.175:80 sajdfue.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
MX 187.204.7.175:80 sajdfue.com tcp
MX 187.204.7.175:80 sajdfue.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/3476-1-0x0000000004960000-0x00000000049F3000-memory.dmp

memory/3476-2-0x0000000004AA0000-0x0000000004BBB000-memory.dmp

memory/1808-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1808-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1808-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1808-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\c9504fc3-db50-43b5-b674-ee846e12f166\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe

MD5 03813c0d02b548f6d16a09dc6220e157
SHA1 03666fedc343f1ea458f1d8c7e0ffad796e90788
SHA256 ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe
SHA512 c856f9dd525c98a5200f3ef7201dd1566306a7c33b7ca9988e91f2d12694bc3fac761f24096b9a0044ba9c9044d4b8f7feef967b9395cfee71b1e0d9fd50aa70

memory/1808-15-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4044-18-0x00000000048F0000-0x0000000004986000-memory.dmp

memory/4200-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4200-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4200-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a8189958d0f1442f5bfe7b93c897c43a
SHA1 f314077388d56b240c7f1cdfe49ae7250a1b9d7f
SHA256 e193f67eaf98376663d9f778f346f15f46616a755d58bd680eb1bc1d249623bf
SHA512 d5b7aa752dbe9d1db281daaacca770ddf2ccc3d1ae7ed3f7b38a069b43318d9e11bcbef7045726165059c5d3b05ba6f48286ced37e89ac6034266b984e64a17f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 38fe440dcb41bf01baa39153169a3d74
SHA1 74a11892ffb1e9baf34fca27ce617993a3221080
SHA256 80c40063d4b3729809906924dd55487a4f20c5bc8aeefa8cfc313dc532f7e423
SHA512 eaf66971a2b57aa93c9fb3c2d25759174dfb0a90d61f2589aeee59d3c540b5cbd9fb669891616e57b41d66b41b6586c3724d3b02f91a86bb7bd905bf2faac31c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 7e996f99d26fe85f6047e641a6e95b2f
SHA1 36e025bc9d8ec304da465cad7973fdaca3778d1f
SHA256 777dcc0c3739cd8ee1297eb3d10a3e54b6850ee59a014866b4234892eef844ef
SHA512 3fac9b5da1e975f0c5cb64c8c62df05cb4d4051813674810b9a7248884e368e675ef96f983b6483dee00e3f20747582b3e7dae60059d685f4510c0f88b8f5d57

memory/4200-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4200-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4200-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4200-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4200-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4200-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4200-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4200-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:39

Reported

2024-04-06 21:43

Platform

win11-20240221-en

Max time kernel

141s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\934fff50-f4f1-444a-bd95-5db3e4038b00\\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4048 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4048 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4048 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4048 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4048 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4048 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4048 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4048 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4048 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4048 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4920 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Windows\SysWOW64\icacls.exe
PID 4920 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Windows\SysWOW64\icacls.exe
PID 4920 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Windows\SysWOW64\icacls.exe
PID 4920 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4920 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 4920 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 2252 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 2252 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 2252 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 2252 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 2252 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 2252 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 2252 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 2252 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 2252 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe
PID 2252 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe

"C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe"

C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe

"C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\934fff50-f4f1-444a-bd95-5db3e4038b00" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe

"C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe

"C:\Users\Admin\AppData\Local\Temp\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1488 -ip 1488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 99.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

memory/4048-1-0x0000000004A30000-0x0000000004AC6000-memory.dmp

memory/4048-2-0x0000000004BD0000-0x0000000004CEB000-memory.dmp

memory/4920-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4920-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4920-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4920-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\934fff50-f4f1-444a-bd95-5db3e4038b00\ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe.exe

MD5 03813c0d02b548f6d16a09dc6220e157
SHA1 03666fedc343f1ea458f1d8c7e0ffad796e90788
SHA256 ecd4ed3aeeb6604487a212f72c127f36cdb8825e63aebef8dd9e927f165e2cbe
SHA512 c856f9dd525c98a5200f3ef7201dd1566306a7c33b7ca9988e91f2d12694bc3fac761f24096b9a0044ba9c9044d4b8f7feef967b9395cfee71b1e0d9fd50aa70

memory/4920-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1488-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2252-20-0x00000000049D0000-0x0000000004A72000-memory.dmp

memory/1488-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1488-25-0x0000000000400000-0x0000000000537000-memory.dmp