Malware Analysis Report

2025-06-16 05:07

Sample ID 240409-la5a7sbe76
Target bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d
SHA256 bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d

Threat Level: Known bad

The file bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 09:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 09:20

Reported

2024-04-09 09:23

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f8a8f0b9-7ca5-4685-8343-4ed8e8ba22b9\\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3004 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 3004 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 3004 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 3004 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 3004 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 3004 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 3004 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 3004 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 3004 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 3004 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 1748 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Windows\SysWOW64\icacls.exe
PID 1748 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Windows\SysWOW64\icacls.exe
PID 1748 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Windows\SysWOW64\icacls.exe
PID 1748 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 1748 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 1748 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 4968 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 4968 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 4968 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 4968 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 4968 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 4968 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 4968 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 4968 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 4968 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 4968 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe

"C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe"

C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe

"C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f8a8f0b9-7ca5-4685-8343-4ed8e8ba22b9" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe

"C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe

"C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 sajdfue.com udp
IR 93.118.137.82:80 sdfjhuz.com tcp
CO 190.156.239.49:80 sajdfue.com tcp
CO 190.156.239.49:80 sajdfue.com tcp
US 8.8.8.8:53 49.239.156.190.in-addr.arpa udp
US 8.8.8.8:53 82.137.118.93.in-addr.arpa udp
CO 190.156.239.49:80 sajdfue.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
CO 190.156.239.49:80 sajdfue.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
CO 190.156.239.49:80 sajdfue.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/3004-1-0x0000000004AF0000-0x0000000004B84000-memory.dmp

memory/3004-2-0x0000000004B90000-0x0000000004CAB000-memory.dmp

memory/1748-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1748-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1748-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1748-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\f8a8f0b9-7ca5-4685-8343-4ed8e8ba22b9\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe

MD5 3673d9d72e9a1c772c4893f20f87d106
SHA1 9b345d65d056afb21352dd1ae43c18bae3bcd7c0
SHA256 bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d
SHA512 320e6945b6eb7cb37e8a4c4dc307687993765c07faa7c225ed0cfa8903500f7ccd8c7e6a672104bf7749858f35ffd4b744532bd88da4208c4210f55f9ab0a509

memory/1748-18-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4968-20-0x00000000049A0000-0x0000000004A3C000-memory.dmp

memory/2136-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2136-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2136-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fc5408c48a55314c72e200b74330cac4
SHA1 7e8889ec3189a40e6078088927bf3612753fa628
SHA256 7ea2a016d97635b1367455af2250cbf9e9c34d293829d11fc21ce905347590c4
SHA512 481753ef755c188012919ea728ea0395f22b6ce83f2f9a11675be6072f154db141b2382dc62ad7c3c95e36596529176a66f40e3d118cf0e33ea8e6f716ae1d77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 68942175603ad5a678766b0531422f70
SHA1 8fb740b104b1b6e1653fd0b54bebeba3bfb740dc
SHA256 eccc37e09f5aab5322800e2621852e8ce1762a317e60aa598fcd11c746bedd29
SHA512 da13dd40bc634cb3f5409b44b2c27bdeb7f011757cc794cd554f5bb4547a1f9aac1821c2582fe45aa0e3b2a3491f7dca1b8fb5715a6145764b55285257d52589

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8b04dc782cb59efccd211451ce19fd07
SHA1 9a16734d3eb4249b38b965624d65d080555af1d3
SHA256 cbad0e5ccd5796c459f7cae553d0bed4caa0da2cbd4eb864c3952897d0a6aa46
SHA512 ea70c446bbd45e603dec6837872f38bd76c7abff2a9893cf8212edac04d1da028961c05d69d91d980b1134fdf1880dfeaffebb3743ad24c340d91f50909d59d2

memory/2136-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2136-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2136-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2136-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2136-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2136-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2136-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2136-39-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 09:20

Reported

2024-04-09 09:23

Platform

win11-20240214-en

Max time kernel

142s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\972c59d6-0672-4da8-843e-dccb60b16645\\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 1740 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 1740 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 1740 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 1740 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 1740 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 1740 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 1740 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 1740 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 1740 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 2800 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Windows\SysWOW64\icacls.exe
PID 2800 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Windows\SysWOW64\icacls.exe
PID 2800 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Windows\SysWOW64\icacls.exe
PID 2800 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 2800 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 2800 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 2092 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 2092 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 2092 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 2092 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 2092 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 2092 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 2092 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 2092 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 2092 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe
PID 2092 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe

"C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe"

C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe

"C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\972c59d6-0672-4da8-843e-dccb60b16645" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe

"C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe

"C:\Users\Admin\AppData\Local\Temp\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
PH 222.127.60.34:80 sdfjhuz.com tcp
MX 189.134.97.255:80 sajdfue.com tcp
MX 189.134.97.255:80 sajdfue.com tcp
MX 189.134.97.255:80 sajdfue.com tcp
MX 189.134.97.255:80 sajdfue.com tcp
MX 189.134.97.255:80 sajdfue.com tcp

Files

memory/1740-1-0x0000000004AA0000-0x0000000004B3E000-memory.dmp

memory/1740-2-0x0000000004B40000-0x0000000004C5B000-memory.dmp

memory/2800-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2800-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2800-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2800-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\972c59d6-0672-4da8-843e-dccb60b16645\bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d.exe

MD5 3673d9d72e9a1c772c4893f20f87d106
SHA1 9b345d65d056afb21352dd1ae43c18bae3bcd7c0
SHA256 bbf4bf6d8f4ae6601964a7886f93cdb7e2389cb073a0675f738af95f3dbad32d
SHA512 320e6945b6eb7cb37e8a4c4dc307687993765c07faa7c225ed0cfa8903500f7ccd8c7e6a672104bf7749858f35ffd4b744532bd88da4208c4210f55f9ab0a509

memory/2800-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2092-20-0x0000000002FF0000-0x000000000308C000-memory.dmp

memory/4104-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4104-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4104-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fc5408c48a55314c72e200b74330cac4
SHA1 7e8889ec3189a40e6078088927bf3612753fa628
SHA256 7ea2a016d97635b1367455af2250cbf9e9c34d293829d11fc21ce905347590c4
SHA512 481753ef755c188012919ea728ea0395f22b6ce83f2f9a11675be6072f154db141b2382dc62ad7c3c95e36596529176a66f40e3d118cf0e33ea8e6f716ae1d77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a8a6decac88caae3b60459b14c01e907
SHA1 daeb406b57bb1ad2d0367fb12a02b5ddc54dae4b
SHA256 e5bb1089eb3791d14638e235a0dcc91afa1c7a3d5350b4ea0b5f75d17c2dc5af
SHA512 5cbb9ab87eb60c3dcdacf621bd57b8e0d7e5eb588934d2b61e2a95e042928cd3125f243f4347ebaf13696fb2a9c0da33c909383e992af71d36ed2828cfab51ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 7965b46f6938502199f3fa3b6316c862
SHA1 cd6c705029b6dcb446d555a21bf0b6d1bff32123
SHA256 c2f8e09f97308014b56dfdad627b1ac2c11e89c98941ea216bcaf91887b02bc5
SHA512 c431864e2cc8b9499a0b7587ddc24ea5360b31c1e8f7ac56f0de3807b6bebf3dfa6862d3421164b355f5480b3f4bebbef63220dbc9e823011177f754edf6f820

memory/4104-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4104-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4104-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4104-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4104-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4104-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4104-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4104-39-0x0000000000400000-0x0000000000537000-memory.dmp