Malware Analysis Report

2025-06-16 05:07

Sample ID 240409-ld9p4aeh7t
Target 235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d
SHA256 235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d

Threat Level: Known bad

The file 235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 09:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 09:26

Reported

2024-04-09 09:28

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7b7a6805-12d1-45c2-a39e-612452f0ec2a\\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3848 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 3848 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 3848 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 3848 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 3848 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 3848 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 3848 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 3848 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 3848 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 3848 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 2736 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Windows\SysWOW64\icacls.exe
PID 2736 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Windows\SysWOW64\icacls.exe
PID 2736 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Windows\SysWOW64\icacls.exe
PID 2736 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 2736 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 2736 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 4084 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 4084 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 4084 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 4084 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 4084 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 4084 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 4084 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 4084 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 4084 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 4084 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe

"C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe"

C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe

"C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\7b7a6805-12d1-45c2-a39e-612452f0ec2a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe

"C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe

"C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 sajdfue.com udp
BG 93.152.141.65:80 sdfjhuz.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
PK 175.107.202.43:80 sajdfue.com tcp
PK 175.107.202.43:80 sajdfue.com tcp
US 8.8.8.8:53 65.141.152.93.in-addr.arpa udp
MX 189.146.135.235:80 sajdfue.com tcp
MX 189.146.135.235:80 sajdfue.com tcp
US 8.8.8.8:53 235.135.146.189.in-addr.arpa udp
MX 189.146.135.235:80 sajdfue.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
MX 189.146.135.235:80 sajdfue.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
MX 189.146.135.235:80 sajdfue.com tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/3848-1-0x00000000049A0000-0x0000000004A36000-memory.dmp

memory/3848-2-0x0000000004A40000-0x0000000004B5B000-memory.dmp

memory/2736-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2736-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2736-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2736-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\7b7a6805-12d1-45c2-a39e-612452f0ec2a\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe

MD5 ee8058320fb4a8fb8246a79f2bdc6201
SHA1 97cc9afb26cc57eb82daa74319aaa8375175ff05
SHA256 235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d
SHA512 6a1b7cfc6a617a4cb9797cf4ee7791c5bb30ad8156683080e7fad00474d61fb8b1392bdfde658953d44cc41aeddfbab5ce836fc8b6b4ddae24064462942f8028

memory/2736-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4084-20-0x0000000002F10000-0x0000000002FA3000-memory.dmp

memory/1856-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1856-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1856-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b715790f51f0d2733b82e94647b9b91c
SHA1 1bbc5dbd2877eee1945160cb0e7310cd6ca98071
SHA256 005e81e16fa80f4f5559c8d6245ac120ed0e8c1b6fb89b491a8386810ec5c44c
SHA512 59fbe9a43e4b82dfb26b4ae99ca1d40c2810a153034279275f0ceaf6fff1db59342cff6b86349b84c317abbadc041415c503c01015334b10e7c0c91c08ef9082

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fc5408c48a55314c72e200b74330cac4
SHA1 7e8889ec3189a40e6078088927bf3612753fa628
SHA256 7ea2a016d97635b1367455af2250cbf9e9c34d293829d11fc21ce905347590c4
SHA512 481753ef755c188012919ea728ea0395f22b6ce83f2f9a11675be6072f154db141b2382dc62ad7c3c95e36596529176a66f40e3d118cf0e33ea8e6f716ae1d77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 16ce98ddfa8f4d2a88a765f789546876
SHA1 5f817515731de00def0a79f80695b537553db161
SHA256 11452f53930eb6f5acc9987fce6115b36ed905092c1f33671a488be3eb877285
SHA512 c9edab4969ac78da2388685a59dd6eae3e99d38ce81631bf69ae02dc9aedb081dc7d6a230c440f0be0760fe98cb2a21679b95c1864b74a5b807cc6c1d5accc6e

memory/1856-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1856-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1856-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1856-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1856-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1856-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1856-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1856-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1856-41-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 09:26

Reported

2024-04-09 09:28

Platform

win11-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\dd539935-a01b-42b2-97a3-97d65db79804\\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1236 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 1236 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 1236 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 1236 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 1236 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 1236 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 1236 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 1236 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 1236 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 1236 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 2008 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Windows\SysWOW64\icacls.exe
PID 2008 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Windows\SysWOW64\icacls.exe
PID 2008 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Windows\SysWOW64\icacls.exe
PID 2008 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 2008 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 2008 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 2964 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 2964 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 2964 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 2964 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 2964 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 2964 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 2964 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 2964 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 2964 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe
PID 2964 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe

"C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe"

C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe

"C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\dd539935-a01b-42b2-97a3-97d65db79804" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe

"C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe

"C:\Users\Admin\AppData\Local\Temp\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
CO 181.55.190.201:80 sdfjhuz.com tcp
KW 62.150.232.50:80 sajdfue.com tcp
KW 62.150.232.50:80 sajdfue.com tcp
KW 62.150.232.50:80 sajdfue.com tcp
KW 62.150.232.50:80 sajdfue.com tcp
KW 62.150.232.50:80 sajdfue.com tcp

Files

memory/1236-1-0x0000000004AA0000-0x0000000004B3C000-memory.dmp

memory/1236-2-0x0000000004B40000-0x0000000004C5B000-memory.dmp

memory/2008-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2008-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2008-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2008-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\dd539935-a01b-42b2-97a3-97d65db79804\235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d.exe

MD5 ee8058320fb4a8fb8246a79f2bdc6201
SHA1 97cc9afb26cc57eb82daa74319aaa8375175ff05
SHA256 235de559e03d9801d51c0fb033284e3a74ede0fbc24d9a064a35af879f64ff3d
SHA512 6a1b7cfc6a617a4cb9797cf4ee7791c5bb30ad8156683080e7fad00474d61fb8b1392bdfde658953d44cc41aeddfbab5ce836fc8b6b4ddae24064462942f8028

memory/2008-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2964-20-0x0000000004960000-0x0000000004A01000-memory.dmp

memory/3852-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3852-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3852-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 c264f9609a6390410c90b229e5c59d34
SHA1 7bc9a205f902109484500954f3e7b2de607505f0
SHA256 4090768f0208db163f0591813d7e3bd61b7a9243fb92a7469f3bab140e621159
SHA512 f96f9688b90d2343375d6553fe2d681076846fe691f625f0a9bf8f5b9d19d03575e29b41024c5e33937e58412283df24df0887a401698018b9e136f538dc8ab8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fc5408c48a55314c72e200b74330cac4
SHA1 7e8889ec3189a40e6078088927bf3612753fa628
SHA256 7ea2a016d97635b1367455af2250cbf9e9c34d293829d11fc21ce905347590c4
SHA512 481753ef755c188012919ea728ea0395f22b6ce83f2f9a11675be6072f154db141b2382dc62ad7c3c95e36596529176a66f40e3d118cf0e33ea8e6f716ae1d77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 1c194023f0858da443d5ee0fd628df5e
SHA1 59b06cd1036a2e26d93e1961fceddb921a9f2927
SHA256 80ea6b0b8d354424266933acd66eb69219fe3606d38f17b7d4f59c9cf3c741e8
SHA512 1e9a26b85793cbe52327e2603ea54cd517dddb0ce11eb5e680206e046f645a3567f7f67acbfcd5bd60863b8fa60a4e15d63b7ac65eb5328b7df23a6e498fbe77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/3852-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3852-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3852-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3852-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3852-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3852-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3852-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3852-39-0x0000000000400000-0x0000000000537000-memory.dmp