Malware Analysis Report

2025-06-16 05:07

Sample ID 240409-gg6emabe5v
Target f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56
SHA256 f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56

Threat Level: Known bad

The file f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Modifies file permissions

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 05:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 05:47

Reported

2024-04-09 05:50

Platform

win11-20240221-en

Max time kernel

143s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4ee7e203-58d4-411e-9b85-aad544db5358\\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 800 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 800 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 800 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 800 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 800 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 800 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 800 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 800 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 800 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 800 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 4252 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Windows\SysWOW64\icacls.exe
PID 4252 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Windows\SysWOW64\icacls.exe
PID 4252 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Windows\SysWOW64\icacls.exe
PID 4252 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 4252 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 4252 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3480 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3480 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3480 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3480 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3480 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3480 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3480 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3480 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3480 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3480 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe

"C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe"

C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe

"C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\4ee7e203-58d4-411e-9b85-aad544db5358" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe

"C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe

"C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
AR 200.45.93.45:80 sajdfue.com tcp
CO 190.156.239.49:80 sajdfue.com tcp
AR 200.45.93.45:80 sajdfue.com tcp
AR 200.45.93.45:80 sajdfue.com tcp
AR 200.45.93.45:80 sajdfue.com tcp
AR 200.45.93.45:80 sajdfue.com tcp

Files

memory/800-1-0x0000000004C10000-0x0000000004CB2000-memory.dmp

memory/800-2-0x0000000004CC0000-0x0000000004DDB000-memory.dmp

memory/4252-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4252-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4252-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4252-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\4ee7e203-58d4-411e-9b85-aad544db5358\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe

MD5 1be477c579869b30cd8f9ec09e2611b3
SHA1 897d59324c868c1d194dd0107212d119b15aa76a
SHA256 f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56
SHA512 23236d3b8f3452155496e9097aad21c9b9f9c06a1379a1cb819445d265b21a1cb2f859f5672c6e3e57e7ac7fef6b0ab25271e47202582b2f3c43a39d27e6c4df

memory/4252-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3480-20-0x0000000004960000-0x00000000049FB000-memory.dmp

memory/2712-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2712-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2712-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 580071ebd24cccfd9268e1474bb8134e
SHA1 443665efe7009fe1d4c5bc4786dc9cc540e59ef6
SHA256 53e3fd53196b53d23b724612cf2704518edf3e979dca02f5674ac419b5f7b461
SHA512 13d52455d8a30a0af06c420cd01f13f55efc4c55b59883c5208bf4929352e7b783557bff6a157c4fc71a8e7cbfadf00d55eef8ebef4b984624d8feb116a960a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 ae205a1749bdb7b70656d9abeebe7952
SHA1 7cb36d8093083a4926dffcee8d48f0e15e4336a9
SHA256 28ec58d780a3eb481bb0bb08b8f6590e65c42221ff365ca10e087f1fd88e5813
SHA512 3a85e4468bc7c9b8992cb9d555ea58bbf5d041653e3ca0dd489261c4ac0b6c437a7438a47871fe20c6dab6d6f5088b558677de38f4f4d571384b2becdbc88e8b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 0c35495e9b6093a61964e508204036fd
SHA1 d80f999f6854b291112fd23b124ac87aedc84004
SHA256 de425888e45e9ef9291093533a06b69d9aec7405b7cb8e0a6a91a2cf9800f664
SHA512 97fb05f3420dc026f0d96f2753ea389670e5097050b7f1b96b17c71915462f3210671baa9c968c0c961127031e331b30ed85fb24d8bfd745d903ac17c1606e30

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/2712-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2712-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2712-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2712-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2712-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2712-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2712-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2712-39-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 05:47

Reported

2024-04-09 05:50

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6c6f50c6-94dc-43f9-82d4-078781cb920c\\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3844 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3844 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3844 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3844 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3844 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3844 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3844 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3844 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3844 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3844 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 2992 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Windows\SysWOW64\icacls.exe
PID 2992 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Windows\SysWOW64\icacls.exe
PID 2992 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Windows\SysWOW64\icacls.exe
PID 2992 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 2992 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 2992 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3848 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3848 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3848 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3848 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3848 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3848 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3848 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3848 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3848 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe
PID 3848 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe

"C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe"

C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe

"C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\6c6f50c6-94dc-43f9-82d4-078781cb920c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe

"C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe

"C:\Users\Admin\AppData\Local\Temp\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe" --Admin IsNotAutoStart IsNotTask

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4100 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 sajdfue.com udp
AR 190.195.60.212:80 sajdfue.com tcp
CO 181.129.118.140:80 sdfjhuz.com tcp
AR 190.195.60.212:80 sajdfue.com tcp
US 8.8.8.8:53 212.60.195.190.in-addr.arpa udp
US 8.8.8.8:53 140.118.129.181.in-addr.arpa udp
AR 190.195.60.212:80 sajdfue.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
AR 190.195.60.212:80 sajdfue.com tcp
AR 190.195.60.212:80 sajdfue.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 13.107.246.64:443 tcp

Files

memory/3844-1-0x0000000004AF0000-0x0000000004B85000-memory.dmp

memory/3844-2-0x0000000004B90000-0x0000000004CAB000-memory.dmp

memory/2992-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2992-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2992-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2992-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\6c6f50c6-94dc-43f9-82d4-078781cb920c\f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56.exe

MD5 1be477c579869b30cd8f9ec09e2611b3
SHA1 897d59324c868c1d194dd0107212d119b15aa76a
SHA256 f585d7f7bf9e7a6e5ef8ef61f42b7eeabb44a5ca37292781116392b795774f56
SHA512 23236d3b8f3452155496e9097aad21c9b9f9c06a1379a1cb819445d265b21a1cb2f859f5672c6e3e57e7ac7fef6b0ab25271e47202582b2f3c43a39d27e6c4df

memory/2992-16-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3848-19-0x00000000048E0000-0x0000000004977000-memory.dmp

memory/3524-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3524-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3524-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 32d86da12646fec4aceda05749f4808c
SHA1 74e7ed910d4c9653b3f8b1b9ce3aedbeee9e0057
SHA256 830b2742a3eb075ce0db0606bed617989cc0669311acaac0c2380ae208f01d23
SHA512 3267901e354f724071fad18e79ef3d6231f6b31f7da4350c1205a7bcf6db82aa60a339a8156bba128dfe39ba456b375061f84dce05fc18e2cf01860f51588d7f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 580071ebd24cccfd9268e1474bb8134e
SHA1 443665efe7009fe1d4c5bc4786dc9cc540e59ef6
SHA256 53e3fd53196b53d23b724612cf2704518edf3e979dca02f5674ac419b5f7b461
SHA512 13d52455d8a30a0af06c420cd01f13f55efc4c55b59883c5208bf4929352e7b783557bff6a157c4fc71a8e7cbfadf00d55eef8ebef4b984624d8feb116a960a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 bf6f6f176423b09787a1873bf23c274c
SHA1 dbccaba0f8aaf8fbcdce68be95a448c37e2c0862
SHA256 8511fa724d5a671de9d9363db135c9c98acaa7f43a68559d838f33f1d53050f5
SHA512 11e04ad8ba3298e5b8f640abe4b7aa2286f6a6975e90cfee9513ec62bc325636ed92ec61a36a33bd071b9481bd0e45b2c995046c1e911088b6a331bedd132465

memory/3524-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3524-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3524-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3524-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3524-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3524-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3524-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3524-37-0x0000000000400000-0x0000000000537000-memory.dmp