Malware Analysis Report

2025-06-16 05:07

Sample ID 240409-c786zscb33
Target 03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800
SHA256 03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800

Threat Level: Known bad

The file 03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Checks computer location settings

Modifies file permissions

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 02:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 02:44

Reported

2024-04-09 02:46

Platform

win11-20240319-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e3589f93-9121-40ca-916f-6983846b1db0\\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2444 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2444 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2444 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2444 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2444 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2444 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2444 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2444 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2444 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 3028 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Windows\SysWOW64\icacls.exe
PID 3028 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Windows\SysWOW64\icacls.exe
PID 3028 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Windows\SysWOW64\icacls.exe
PID 3028 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 3028 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 3028 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2448 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2448 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2448 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2448 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2448 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2448 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2448 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2448 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2448 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2448 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe

Processes

C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe

"C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe"

C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe

"C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\e3589f93-9121-40ca-916f-6983846b1db0" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe

"C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe

"C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
CO 186.147.159.149:80 sajdfue.com tcp
CO 186.147.159.149:80 sajdfue.com tcp
CO 186.147.159.149:80 sajdfue.com tcp
CO 186.147.159.149:80 sajdfue.com tcp
CO 186.147.159.149:80 sajdfue.com tcp
CO 186.147.159.149:80 sajdfue.com tcp

Files

memory/2444-1-0x0000000004BE0000-0x0000000004C7A000-memory.dmp

memory/2444-2-0x0000000004C80000-0x0000000004D9B000-memory.dmp

memory/3028-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3028-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3028-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3028-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\e3589f93-9121-40ca-916f-6983846b1db0\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe

MD5 a911c76f3695c14585bc205d9201804d
SHA1 c8422674f6541052f5b40bc0b0b106b57839581c
SHA256 03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800
SHA512 decf1357c7207e89912b33f6d0071d2112fe01d7612f8002035f0cdeb6e0a19dd3e72d5f63937ab3d54ebe46a5c4f5e2516b0a052d38c079724beb777cdaea79

memory/3028-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2448-20-0x0000000004AA0000-0x0000000004B42000-memory.dmp

memory/1292-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1292-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1292-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 580071ebd24cccfd9268e1474bb8134e
SHA1 443665efe7009fe1d4c5bc4786dc9cc540e59ef6
SHA256 53e3fd53196b53d23b724612cf2704518edf3e979dca02f5674ac419b5f7b461
SHA512 13d52455d8a30a0af06c420cd01f13f55efc4c55b59883c5208bf4929352e7b783557bff6a157c4fc71a8e7cbfadf00d55eef8ebef4b984624d8feb116a960a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 16741397ba1bbf4d2d36f19fca44c52a
SHA1 3180dc5ff9580328a77f166accb8f924878697e9
SHA256 047779fc9aea8da867b00281c50a965bd0af4f3ce67791592fd614614c07236d
SHA512 484812cb4bc6bbfe4e29e8626069b66eac86ff9e7e61d486b6bf2a419b61baaf81c33dc1213472bae9e3d41dd9950b115be3bafd245a52372b6cba2094faef02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 c973b3d0dee0b10e1707e171bff58568
SHA1 1f8875694dc8f9805bcd1371ca6bd52692695f14
SHA256 0bb0f84de6a4d4a0cb03d6a37990b3a76b577260dbe6d93206936a4df188cc3e
SHA512 4965a0fb6632f0b5417e101affa67a8cc72e9af1c74962dbfe459d99f6394324b28681900f5bd4f98aaa1ae35ac517fc99d30ee6375c521a435b930e0397ad19

memory/1292-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1292-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1292-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1292-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1292-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1292-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1292-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1292-39-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 02:44

Reported

2024-04-09 02:46

Platform

win10v2004-20240226-en

Max time kernel

154s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\61d139fb-ca56-408d-a06e-df6d64877503\\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 464 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 464 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 464 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 464 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 464 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 464 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 464 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 464 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 464 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 464 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 3768 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Windows\SysWOW64\icacls.exe
PID 3768 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Windows\SysWOW64\icacls.exe
PID 3768 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Windows\SysWOW64\icacls.exe
PID 3768 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 3768 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 3768 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2924 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2924 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2924 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2924 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2924 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2924 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2924 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2924 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2924 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe
PID 2924 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe

Processes

C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe

"C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe"

C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe

"C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\61d139fb-ca56-408d-a06e-df6d64877503" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe

"C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe

"C:\Users\Admin\AppData\Local\Temp\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3456 -ip 3456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

memory/464-1-0x00000000049B0000-0x0000000004A51000-memory.dmp

memory/464-2-0x0000000004A60000-0x0000000004B7B000-memory.dmp

memory/3768-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3768-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3768-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3768-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\61d139fb-ca56-408d-a06e-df6d64877503\03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800.exe

MD5 a911c76f3695c14585bc205d9201804d
SHA1 c8422674f6541052f5b40bc0b0b106b57839581c
SHA256 03e315f2fa7bfcfbb9093a302857e6446b1d64580e667039a91107104c2ac800
SHA512 decf1357c7207e89912b33f6d0071d2112fe01d7612f8002035f0cdeb6e0a19dd3e72d5f63937ab3d54ebe46a5c4f5e2516b0a052d38c079724beb777cdaea79

memory/3768-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2924-20-0x00000000049A0000-0x0000000004A35000-memory.dmp

memory/3456-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3456-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3456-25-0x0000000000400000-0x0000000000537000-memory.dmp