Malware Analysis Report

2025-04-13 10:27

Sample ID 240415-syjgzahh39
Target 2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38
SHA256 2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38

Threat Level: Known bad

The file 2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Modifies file permissions

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 15:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 15:31

Reported

2024-04-15 15:34

Platform

win10v2004-20240412-en

Max time kernel

143s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a2546bf4-60f6-4fec-b208-6f41c85c4934\\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1472 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 1472 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 1472 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 1472 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 1472 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 1472 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 1472 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 1472 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 1472 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 1472 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 3964 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Windows\SysWOW64\icacls.exe
PID 3964 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Windows\SysWOW64\icacls.exe
PID 3964 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Windows\SysWOW64\icacls.exe
PID 3964 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 3964 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 3964 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 4396 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 4396 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 4396 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 4396 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 4396 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 4396 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 4396 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 4396 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 4396 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 4396 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe

"C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe"

C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe

"C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\a2546bf4-60f6-4fec-b208-6f41c85c4934" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe

"C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe

"C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.2:443 api.2ip.ua tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 188.114.96.2:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 sajdfue.com udp
CO 181.129.118.140:80 sdfjhuz.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
KR 211.181.24.133:80 sajdfue.com tcp
KR 211.181.24.133:80 sajdfue.com tcp
US 8.8.8.8:53 140.118.129.181.in-addr.arpa udp
US 8.8.8.8:53 133.24.181.211.in-addr.arpa udp
KR 211.181.24.133:80 sajdfue.com tcp
KR 211.181.24.133:80 sajdfue.com tcp
KR 211.181.24.133:80 sajdfue.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

memory/1472-1-0x0000000004B10000-0x0000000004BA7000-memory.dmp

memory/1472-2-0x0000000004BB0000-0x0000000004CCB000-memory.dmp

memory/3964-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3964-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3964-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3964-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\a2546bf4-60f6-4fec-b208-6f41c85c4934\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe

MD5 db5427457fb2592b4b7b630ceae0193e
SHA1 8a8a4506975b1f11bf2047cc9d43c72370e7fb28
SHA256 2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38
SHA512 a686d28e056f831042ffa906e4882107d2f5b170b61d00fc2e1f39cac4ab51cf4c7645f340bfb622d28ae934a8aed366ef715f5b07143acf846d9a5639cb57b8

memory/3964-15-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4396-18-0x00000000049F0000-0x0000000004A91000-memory.dmp

memory/2104-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2104-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2104-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 0836b385c78e554b37b05f2b82e1d262
SHA1 7bb738da5da99f88806bb71a02add22ed7aeaad1
SHA256 f9e6699017b010595ce86ae369024b0f6644374b1f8b43180cf2997cbed928ba
SHA512 626946bdcbddefaad76376aa2f569923d869a3885455d630594e91f6823fa88008199efe860cb76d14f8a6066611d7b21bed0ea23bc601226ecbd9d33d8515d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 f741810cb830974aebab5f43eb80bc43
SHA1 1019ffd11ba07f662659b7f244d2743b4b1562c3
SHA256 20c4d592f763227cd6ed7fc812ae9d65edd6e046c30a70e7c694c579d9f1580a
SHA512 607ca542510b2a90fbade08569e449fdf35673dc4f045c4ca61982666fe2dd694d265835ebe2d90146dfcecedc7f229804c8e235d8eb9ca36f761064522539f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 e894578529f08059db9589e4607fdeac
SHA1 6566f4c9f4f30aa148749a0bd35a254a670958a3
SHA256 4c5bc1c96a5c3e15ebe3a8947c3c092e49a7fac7c90e4f048948a93818b99d15
SHA512 535ee8a5a3b8603675260ff40ef2ad176c053f63f61d1f2fbd5c178f1be34c8213746273b8f461d7a0ae39413dbf56737b0db7f806a5c78d28faa4e7a196ef57

memory/2104-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2104-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2104-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2104-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2104-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2104-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2104-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2104-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 15:31

Reported

2024-04-15 15:34

Platform

win11-20240412-en

Max time kernel

143s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7c547e90-b8cc-49aa-b57e-068db3f191b5\\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1148 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 1148 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 1148 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 1148 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 1148 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 1148 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 1148 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 1148 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 1148 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 1148 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 2412 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Windows\SysWOW64\icacls.exe
PID 2412 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Windows\SysWOW64\icacls.exe
PID 2412 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Windows\SysWOW64\icacls.exe
PID 2412 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 2412 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 2412 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 3368 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 3368 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 3368 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 3368 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 3368 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 3368 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 3368 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 3368 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 3368 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe
PID 3368 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe

"C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe"

C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe

"C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\7c547e90-b8cc-49aa-b57e-068db3f191b5" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe

"C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe

"C:\Users\Admin\AppData\Local\Temp\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
BA 92.36.226.66:80 sajdfue.com tcp
IR 93.118.137.82:80 sdfjhuz.com tcp
BA 92.36.226.66:80 sajdfue.com tcp
BA 92.36.226.66:80 sajdfue.com tcp
BA 92.36.226.66:80 sajdfue.com tcp
BA 92.36.226.66:80 sajdfue.com tcp

Files

memory/1148-1-0x0000000004BF0000-0x0000000004C8B000-memory.dmp

memory/2412-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2412-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2412-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1148-2-0x0000000004C90000-0x0000000004DAB000-memory.dmp

memory/2412-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\7c547e90-b8cc-49aa-b57e-068db3f191b5\2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38.exe

MD5 db5427457fb2592b4b7b630ceae0193e
SHA1 8a8a4506975b1f11bf2047cc9d43c72370e7fb28
SHA256 2ee7942af6d8e33fee4035fa4348f83303f31ab58f71d621889fa2bc2e724f38
SHA512 a686d28e056f831042ffa906e4882107d2f5b170b61d00fc2e1f39cac4ab51cf4c7645f340bfb622d28ae934a8aed366ef715f5b07143acf846d9a5639cb57b8

memory/2412-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3368-20-0x0000000004AD0000-0x0000000004B6D000-memory.dmp

memory/2848-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 027e8f427685e557dbe3456b2bb17fe0
SHA1 c838921bfe16abcf76de697d880ac06f570ff2fd
SHA256 7d6dc26ef572bb17204d1cd5259621ceee7006f84822aeacf20da2147297bef3
SHA512 1caef596a26b6c1d672a2431282eab9f2919b33ce8dca96e992e852cb77f0f93f928c2ff76e233c969a459df5f42a4af43c84ed50f0b5b3fffaed9315a7919b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 f741810cb830974aebab5f43eb80bc43
SHA1 1019ffd11ba07f662659b7f244d2743b4b1562c3
SHA256 20c4d592f763227cd6ed7fc812ae9d65edd6e046c30a70e7c694c579d9f1580a
SHA512 607ca542510b2a90fbade08569e449fdf35673dc4f045c4ca61982666fe2dd694d265835ebe2d90146dfcecedc7f229804c8e235d8eb9ca36f761064522539f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 af20bb94195d3d72ac5c6b441950a756
SHA1 d88f37de509a4d6cdd50053f5f7f3961041fa0f7
SHA256 c1529d29dda5c9ab6f68c35a798d5b6ed0c711e95f9427a4cf244777bcd97801
SHA512 7233356267e1015cab202ad4e494e124237efb2d19d16c1525ec7bbcca43304b95114fee2d8418163e20af34364e89e8804a4bb4f20afd4c79bb386f6fb0164e

memory/2848-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-39-0x0000000000400000-0x0000000000537000-memory.dmp