Malware Analysis Report

2025-06-16 05:07

Sample ID 240409-lt2z7afc8s
Target a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f
SHA256 a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f

Threat Level: Known bad

The file a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 09:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 09:50

Reported

2024-04-09 09:52

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\622f7fcd-b718-4e50-bc6a-c98eee1b9528\\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 1352 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 1352 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 1352 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 1352 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 1352 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 1352 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 1352 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 1352 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 1352 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 2244 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Windows\SysWOW64\icacls.exe
PID 2244 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Windows\SysWOW64\icacls.exe
PID 2244 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Windows\SysWOW64\icacls.exe
PID 2244 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 2244 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 2244 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3628 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3628 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3628 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3628 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3628 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3628 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3628 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3628 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3628 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3628 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe

"C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe"

C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe

"C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\622f7fcd-b718-4e50-bc6a-c98eee1b9528" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe

"C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe

"C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 sajdfue.com udp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
IR 46.100.50.5:80 sajdfue.com tcp
KR 211.171.233.126:80 sdfjhuz.com tcp
IR 46.100.50.5:80 sajdfue.com tcp
US 8.8.8.8:53 126.233.171.211.in-addr.arpa udp
US 8.8.8.8:53 5.50.100.46.in-addr.arpa udp
IR 46.100.50.5:80 sajdfue.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
IR 46.100.50.5:80 sajdfue.com tcp
IR 46.100.50.5:80 sajdfue.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 40.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1352-1-0x0000000004B50000-0x0000000004BE8000-memory.dmp

memory/1352-2-0x0000000004BF0000-0x0000000004D0B000-memory.dmp

memory/2244-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2244-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2244-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2244-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\622f7fcd-b718-4e50-bc6a-c98eee1b9528\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe

MD5 3a8a7c0a60f77b76feac5c6f736119b8
SHA1 1966c2a7262aa4161958f168c4bc75dee4a291f4
SHA256 a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f
SHA512 3b29ffe7c556245f91838282a3667f097ff951936d3f3e054a3ae8d766c06605568f59c5020547e58523bf849ac5ac30f15d29363315c2c1b69a45953ac7d2d2

memory/2244-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3628-20-0x00000000048C0000-0x000000000495B000-memory.dmp

memory/3148-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3148-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3148-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fc5408c48a55314c72e200b74330cac4
SHA1 7e8889ec3189a40e6078088927bf3612753fa628
SHA256 7ea2a016d97635b1367455af2250cbf9e9c34d293829d11fc21ce905347590c4
SHA512 481753ef755c188012919ea728ea0395f22b6ce83f2f9a11675be6072f154db141b2382dc62ad7c3c95e36596529176a66f40e3d118cf0e33ea8e6f716ae1d77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 edeaeee2db8bf0c849c0de68474259e4
SHA1 eb132a6b4a11481c50491978795fe9821f2ef966
SHA256 c90d48e9112a020d890e99083fdbb3b4dba2d79af2684fc7d032549b2a25731e
SHA512 d04f79278105cf40f350f7b7b70c2cacf710dcdc3f3d73c5105ac6e6249508db136d675371718729996c144fa7577d38b6197e5a5779919e72c71ff53e4ee3b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a791dc660eb1a20532715092eec9e1a2
SHA1 0d5e484ddf9c2d25e8c856d8447a9adcf113300b
SHA256 63ad6f14dedb9e1d22bc2a5bff7af908b9ada094d211559d596ac7395dbc0f6d
SHA512 6c2929b0dd28dd4fe4887df2ac95968deca1cdd91a1002ee1fcc99073f34460c16ff187e4b3f9ecd827d8cc1ea7543d6fa46944130c2c8681d88213d17574c13

memory/3148-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3148-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3148-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3148-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3148-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3148-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3148-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3148-39-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 09:50

Reported

2024-04-09 09:52

Platform

win11-20240221-en

Max time kernel

143s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\19c5fb75-ae0c-41c6-a592-c1c7534e14d3\\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3916 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3916 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3916 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3916 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3916 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3916 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3916 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3916 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3916 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3916 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 404 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Windows\SysWOW64\icacls.exe
PID 404 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Windows\SysWOW64\icacls.exe
PID 404 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Windows\SysWOW64\icacls.exe
PID 404 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 404 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 404 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3444 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3444 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3444 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3444 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3444 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3444 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3444 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3444 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3444 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe
PID 3444 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe

"C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe"

C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe

"C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\19c5fb75-ae0c-41c6-a592-c1c7534e14d3" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe

"C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe

"C:\Users\Admin\AppData\Local\Temp\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
RO 78.97.81.142:80 sdfjhuz.com tcp
KR 211.119.84.111:80 sajdfue.com tcp
KR 211.119.84.111:80 sajdfue.com tcp
KR 211.119.84.111:80 sajdfue.com tcp
KR 211.119.84.111:80 sajdfue.com tcp
KR 211.119.84.111:80 sajdfue.com tcp

Files

memory/3916-1-0x0000000004BF0000-0x0000000004C8C000-memory.dmp

memory/3916-2-0x0000000004C90000-0x0000000004DAB000-memory.dmp

memory/404-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/404-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/404-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/404-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\19c5fb75-ae0c-41c6-a592-c1c7534e14d3\a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f.exe

MD5 3a8a7c0a60f77b76feac5c6f736119b8
SHA1 1966c2a7262aa4161958f168c4bc75dee4a291f4
SHA256 a9bc848466303ba203b2d8648ba71bc9e15115fbcaf723b0e47f47f91585e33f
SHA512 3b29ffe7c556245f91838282a3667f097ff951936d3f3e054a3ae8d766c06605568f59c5020547e58523bf849ac5ac30f15d29363315c2c1b69a45953ac7d2d2

memory/404-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3444-20-0x0000000002FC0000-0x0000000003053000-memory.dmp

memory/1032-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1032-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1032-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 b2b7d1020b419952c9d3dad123ba2f15
SHA1 93b559545b242b05a97098d811ca77cb763f8449
SHA256 2a8caa0fbce62e0a551202430295867e0d4ed58eddfcec534b5c2df5e3795222
SHA512 abadee643b7927b4da58b71de90ce92968525a37a7d5c6f00c342672513a80bf9048cd636a5707c5ac271fd0efb5896065d155e56e00aafd86789ace7e0d3f94

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fc5408c48a55314c72e200b74330cac4
SHA1 7e8889ec3189a40e6078088927bf3612753fa628
SHA256 7ea2a016d97635b1367455af2250cbf9e9c34d293829d11fc21ce905347590c4
SHA512 481753ef755c188012919ea728ea0395f22b6ce83f2f9a11675be6072f154db141b2382dc62ad7c3c95e36596529176a66f40e3d118cf0e33ea8e6f716ae1d77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 6c4e4c1ba6120e79a921c78fc4420d98
SHA1 7393e3394deae984e1d0636e7a84c52eaa030709
SHA256 7163eff14947a55ee70fd563d0451bac4ec1c4567f21e1ed0e963c8f0ea20732
SHA512 cf7b2bf2105068f2ce12a5e25687aec782a14863d38e358b3d539a853cc89fde10775ddf37f9c8fa9bb5a4c4264432915d15b407c065e64fb6547a10b00e8dca

memory/1032-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1032-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1032-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1032-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1032-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1032-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1032-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1032-39-0x0000000000400000-0x0000000000537000-memory.dmp