Malware Analysis Report

2025-04-13 10:27

Sample ID 240415-3ckg9ada7x
Target 90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84
SHA256 90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84

Threat Level: Known bad

The file 90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 23:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 23:22

Reported

2024-04-15 23:24

Platform

win10v2004-20240412-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\82b24f37-7b70-482b-8d90-c8cecc841d39\\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 2656 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 2656 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 2656 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 2656 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 2656 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 2656 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 2656 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 2656 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 2656 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 3636 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Windows\SysWOW64\icacls.exe
PID 3636 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Windows\SysWOW64\icacls.exe
PID 3636 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Windows\SysWOW64\icacls.exe
PID 3636 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 3636 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 3636 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 1472 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 1472 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 1472 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 1472 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 1472 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 1472 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 1472 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 1472 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 1472 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 1472 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe

Processes

C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe

"C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe"

C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe

"C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\82b24f37-7b70-482b-8d90-c8cecc841d39" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe

"C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe

"C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 sajdfue.com udp
PK 116.58.10.59:80 sajdfue.com tcp
KR 175.119.10.231:80 sdfjhuz.com tcp
PK 116.58.10.59:80 sajdfue.com tcp
US 8.8.8.8:53 59.10.58.116.in-addr.arpa udp
US 8.8.8.8:53 231.10.119.175.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
PK 116.58.10.59:80 sajdfue.com tcp
PK 116.58.10.59:80 sajdfue.com tcp
PK 116.58.10.59:80 sajdfue.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

memory/2656-1-0x0000000002F60000-0x0000000003001000-memory.dmp

memory/2656-2-0x0000000004BB0000-0x0000000004CCB000-memory.dmp

memory/3636-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3636-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3636-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3636-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\82b24f37-7b70-482b-8d90-c8cecc841d39\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe

MD5 e2a733f51b662778b62c47f9e6727c00
SHA1 8b358b86b59be7ec513807b620f3bd88ec72dfef
SHA256 90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84
SHA512 72d12b0039fcc5cc5d19b08b53fed47c97e10fdf64e13b99ecb872705185d54f0c5a7ae9a7b53562749cbdf7cf110870c56ad40277bd05b005012578b6e6d4c8

memory/3636-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1472-22-0x00000000049D0000-0x0000000004A69000-memory.dmp

memory/548-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/548-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/548-26-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3caddcc7a8fa5e9a3a2db4c145f5ddae
SHA1 06c4f68dd38a9791fa82c4e0d1795ffefa07b029
SHA256 91d46903ceaaba7c589f2f76f5391ea31c8248a78d9ff785caa12c166ab52e55
SHA512 b7723a6f7644f96b2f5ae04ddfceb5eb038a1e9a4dd949261fba56ab7692b87862f84edb20b3225ae6791df3eca8b9e7522cd378fec6f728ab42a9dbb38e2d19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 975322ef2628d7ad1ae00600667221fc
SHA1 42d2c551eeded5827a99a782f2e184ddf9b9ca60
SHA256 4e8880a4d5d6d3bc7cc8e7590570de5e31f5b4239bfa9b3cc1a7fc31d4245672
SHA512 3c867dfc216b741cbd76f8e2108e50bfe6b2a3f18c25584a61bb3b75107ccf2115909c97641396ad2470f8fd65e02440f2b7b20f3d03461ca3b6fb519bb2cd71

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3c6a98dff2c8e5d41183fb934602bccf
SHA1 389eea4f6c8b9a19dd6efd65b2c979feeb4262a7
SHA256 8c5e90026091280487ae42d5c0f266528cacb6de18c7f3d693ecfdb547b06ac8
SHA512 fde8e5de812641dc896e8d8182dcf4244670e431f3310aba576f0f330a9d8a4221eb7513005e9755512d0c645cbf164c4c5f8872689d2e52a58b3f39668de8fd

memory/548-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/548-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/548-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/548-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/548-41-0x0000000000400000-0x0000000000537000-memory.dmp

memory/548-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/548-42-0x0000000000400000-0x0000000000537000-memory.dmp

memory/548-43-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 23:22

Reported

2024-04-15 23:24

Platform

win11-20240412-en

Max time kernel

155s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\98cf148f-3035-4ce7-9041-e25f5670bb4d\\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4892 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 4892 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 4892 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 4892 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 4892 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 4892 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 4892 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 4892 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 4892 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 4892 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 4236 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Windows\SysWOW64\icacls.exe
PID 4236 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Windows\SysWOW64\icacls.exe
PID 4236 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Windows\SysWOW64\icacls.exe
PID 4236 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 4236 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 4236 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 3564 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 3564 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 3564 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 3564 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 3564 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 3564 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 3564 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 3564 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 3564 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe
PID 3564 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe

Processes

C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe

"C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe"

C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe

"C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\98cf148f-3035-4ce7-9041-e25f5670bb4d" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe

"C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe

"C:\Users\Admin\AppData\Local\Temp\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
PK 116.58.10.59:80 sajdfue.com tcp
KR 175.119.10.231:80 sdfjhuz.com tcp
PK 116.58.10.59:80 sajdfue.com tcp
PK 116.58.10.59:80 sajdfue.com tcp
PK 116.58.10.59:80 sajdfue.com tcp
PK 116.58.10.59:80 sajdfue.com tcp

Files

memory/4892-1-0x0000000004C10000-0x0000000004CB2000-memory.dmp

memory/4892-2-0x0000000004CC0000-0x0000000004DDB000-memory.dmp

memory/4236-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4236-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4236-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4236-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\98cf148f-3035-4ce7-9041-e25f5670bb4d\90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84.exe

MD5 e2a733f51b662778b62c47f9e6727c00
SHA1 8b358b86b59be7ec513807b620f3bd88ec72dfef
SHA256 90b0578ebea410345cb75e528773c510d4ae9f124160745233efb6eef3930c84
SHA512 72d12b0039fcc5cc5d19b08b53fed47c97e10fdf64e13b99ecb872705185d54f0c5a7ae9a7b53562749cbdf7cf110870c56ad40277bd05b005012578b6e6d4c8

memory/4236-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3564-21-0x0000000004B40000-0x0000000004BDC000-memory.dmp

memory/4340-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3c6a98dff2c8e5d41183fb934602bccf
SHA1 389eea4f6c8b9a19dd6efd65b2c979feeb4262a7
SHA256 8c5e90026091280487ae42d5c0f266528cacb6de18c7f3d693ecfdb547b06ac8
SHA512 fde8e5de812641dc896e8d8182dcf4244670e431f3310aba576f0f330a9d8a4221eb7513005e9755512d0c645cbf164c4c5f8872689d2e52a58b3f39668de8fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e32863480615be830c1475a83ce63b49
SHA1 0bd099b0665c07b2e2f023da5f774ad25ffa1a94
SHA256 c4213da8a9fd66222df0dedf2b063a1963c45560d55df6319aaf108c8510b612
SHA512 f71a502f6eb9a3158d48566d28e5f1ca876648413555c2d09140784a5489f947ddc33575792141724c9cf7503092d357a09773f69b5550bc58127ee91da5c7ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 31d3362d58f9edfde4d2337ae0547a1f
SHA1 70187b3031002fb374f770bac1be58c09c9134ed
SHA256 d454d9408227d98d58a2ff01a559bce4f0e464d5fb13a5ac656749d69ea6082b
SHA512 930bbd2bdc4998e3bff42aea18fef225f0604ae933efbe628db1c326a175b0dab5a22b820f227d9326d4b5b5f56feca4d3aed47a927ffa7551decc2bde098322

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/4340-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-41-0x0000000000400000-0x0000000000537000-memory.dmp