Malware Analysis Report

2025-04-13 10:27

Sample ID 240415-3ffcpsbb48
Target 50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496
SHA256 50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496

Threat Level: Known bad

The file 50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Modifies file permissions

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 23:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 23:27

Reported

2024-04-15 23:29

Platform

win10v2004-20240412-en

Max time kernel

90s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0ca49812-f7b2-4447-bc93-fa6adac3949e\\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 2768 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 2768 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 2768 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 2768 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 2768 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 2768 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 2768 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 2768 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 2768 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 1520 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Windows\SysWOW64\icacls.exe
PID 1520 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Windows\SysWOW64\icacls.exe
PID 1520 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Windows\SysWOW64\icacls.exe
PID 1520 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 1520 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 1520 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 4648 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 4648 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 4648 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 4648 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 4648 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 4648 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 4648 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 4648 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 4648 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 4648 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe

Processes

C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe

"C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe"

C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe

"C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\0ca49812-f7b2-4447-bc93-fa6adac3949e" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe

"C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe

"C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1812 -ip 1812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 13.89.179.14:443 tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/2768-1-0x0000000004B30000-0x0000000004BCE000-memory.dmp

memory/2768-2-0x0000000004BD0000-0x0000000004CEB000-memory.dmp

memory/1520-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1520-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1520-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1520-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\0ca49812-f7b2-4447-bc93-fa6adac3949e\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe

MD5 7bf2ed31e5b9c59d24f750dbbcf10ab5
SHA1 1ff4a18a6d8ec058be1896dc90757f42e60c588b
SHA256 50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496
SHA512 88ef1d7c63190df6e832dbb71f1790911e5f0b41c492de124f605d4a261e7c8b7a4519e23fc6d8abc9db642940431c97a622e6a7b6f71d7086644a1c7525c04d

memory/1520-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4648-22-0x00000000049B0000-0x0000000004A49000-memory.dmp

memory/1812-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1812-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1812-27-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 23:27

Reported

2024-04-15 23:29

Platform

win11-20240412-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8032b57f-c2ee-4e04-83b9-a1d42c353bb7\\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 2336 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 2336 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 2336 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 2336 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 2336 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 2336 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 2336 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 2336 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 2336 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 656 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Windows\SysWOW64\icacls.exe
PID 656 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Windows\SysWOW64\icacls.exe
PID 656 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Windows\SysWOW64\icacls.exe
PID 656 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 656 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 656 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 4320 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 4320 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 4320 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 4320 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 4320 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 4320 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 4320 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 4320 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 4320 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe
PID 4320 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe

Processes

C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe

"C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe"

C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe

"C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\8032b57f-c2ee-4e04-83b9-a1d42c353bb7" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe

"C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe

"C:\Users\Admin\AppData\Local\Temp\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
BG 93.152.141.65:80 sdfjhuz.com tcp
KW 78.89.199.216:80 sdfjhuz.com tcp
BG 93.152.141.65:80 sdfjhuz.com tcp
BG 93.152.141.65:80 sdfjhuz.com tcp
BG 93.152.141.65:80 sdfjhuz.com tcp
BG 93.152.141.65:80 sdfjhuz.com tcp

Files

memory/2336-1-0x0000000004C00000-0x0000000004C95000-memory.dmp

memory/2336-2-0x0000000004CA0000-0x0000000004DBB000-memory.dmp

memory/656-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/656-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/656-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/656-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\8032b57f-c2ee-4e04-83b9-a1d42c353bb7\50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496.exe

MD5 7bf2ed31e5b9c59d24f750dbbcf10ab5
SHA1 1ff4a18a6d8ec058be1896dc90757f42e60c588b
SHA256 50979b951973f2f49176bca671a6be0c7109439c680d34a57cea62861d4e2496
SHA512 88ef1d7c63190df6e832dbb71f1790911e5f0b41c492de124f605d4a261e7c8b7a4519e23fc6d8abc9db642940431c97a622e6a7b6f71d7086644a1c7525c04d

memory/656-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4320-22-0x0000000004AF0000-0x0000000004B8B000-memory.dmp

memory/4484-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4484-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4484-26-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3c6a98dff2c8e5d41183fb934602bccf
SHA1 389eea4f6c8b9a19dd6efd65b2c979feeb4262a7
SHA256 8c5e90026091280487ae42d5c0f266528cacb6de18c7f3d693ecfdb547b06ac8
SHA512 fde8e5de812641dc896e8d8182dcf4244670e431f3310aba576f0f330a9d8a4221eb7513005e9755512d0c645cbf164c4c5f8872689d2e52a58b3f39668de8fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 9a159a096bfbecae70a0583baa15f2bc
SHA1 d33a2f2a1deab401933c924d5fa6eb14a3d2718a
SHA256 4894418011e794e79cdbd8cfcdd8fac5c57c356c91b11cd9a943954a3e194e2f
SHA512 8da0a3a05edf94ed44d7f8c59f8f694e6712c7c214d3cb1def24dfd956ed23e87d1090ab5d871e50ece4dd8af95732209b09bbd1d2d5fc763ac9217d73b3141c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 467bf8606e273d2f9c12984bc4b9809d
SHA1 9aa946948634a5ee67b3488135014e049a24c181
SHA256 f6eb9b2062836fef76891672afd1fade9d40e99226cdf12708268eb448867364
SHA512 6e103959f5c9d947b518ba32a2f178971fef8291e3b3496669a85e8e3421c4fcb47196e5e0b6ec8910d300bdb3790863c3c355e955919cc95b9fb015d15f9100

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/4484-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4484-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4484-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4484-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4484-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4484-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4484-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4484-41-0x0000000000400000-0x0000000000537000-memory.dmp