Malware Analysis Report

2025-04-13 10:27

Sample ID 240415-tjd5daae29
Target d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022
SHA256 d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022

Threat Level: Known bad

The file d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 16:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 16:04

Reported

2024-04-15 16:07

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\27251b15-e46b-498c-9f7f-d393760feeef\\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3092 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 3092 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 3092 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 3092 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 3092 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 3092 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 3092 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 3092 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 3092 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 3092 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 2188 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Windows\SysWOW64\icacls.exe
PID 2188 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Windows\SysWOW64\icacls.exe
PID 2188 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Windows\SysWOW64\icacls.exe
PID 2188 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 2188 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 2188 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 4092 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 4092 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 4092 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 4092 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 4092 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 4092 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 4092 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 4092 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 4092 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 4092 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe

"C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe"

C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe

"C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\27251b15-e46b-498c-9f7f-d393760feeef" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe

"C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe

"C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.2:443 api.2ip.ua tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 188.114.96.2:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 sajdfue.com udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
AR 190.195.60.212:80 sajdfue.com tcp
KR 183.100.39.16:80 sajdfue.com tcp
KR 183.100.39.16:80 sajdfue.com tcp
US 8.8.8.8:53 16.39.100.183.in-addr.arpa udp
US 8.8.8.8:53 212.60.195.190.in-addr.arpa udp
KR 183.100.39.16:80 sajdfue.com tcp
KR 183.100.39.16:80 sajdfue.com tcp
KR 183.100.39.16:80 sajdfue.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3092-1-0x0000000004AF0000-0x0000000004B82000-memory.dmp

memory/3092-2-0x0000000004B90000-0x0000000004CAB000-memory.dmp

memory/2188-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2188-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2188-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2188-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\27251b15-e46b-498c-9f7f-d393760feeef\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe

MD5 bd9cc7d219c9c1b402e9e479077eb1fd
SHA1 2b13c4ba018730a0e90c150a44f3e7bc127b465f
SHA256 d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022
SHA512 72fd8443954d232ff385d1b96267f4d651963af97441fe8f8ea0500576bba90617ebe60d881e0ad502c4385db922bcdb0b04ff7893921550ab05ec8a1c5c0d56

memory/2188-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4092-20-0x00000000049D0000-0x0000000004A63000-memory.dmp

memory/4532-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4532-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4532-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 f741810cb830974aebab5f43eb80bc43
SHA1 1019ffd11ba07f662659b7f244d2743b4b1562c3
SHA256 20c4d592f763227cd6ed7fc812ae9d65edd6e046c30a70e7c694c579d9f1580a
SHA512 607ca542510b2a90fbade08569e449fdf35673dc4f045c4ca61982666fe2dd694d265835ebe2d90146dfcecedc7f229804c8e235d8eb9ca36f761064522539f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e0d37cfb478e0788ce7de5c767990144
SHA1 c29cd8351dbca58151d553053dee74aedd67a702
SHA256 fde2213bfc24ff1af64cb193a97d90206b4fdac1bf03da26bd657d0fcb6f939d
SHA512 3ad80e40f01a45523b5d9b8b26852a12de07e368e4092f8b99e48c3e755a738dc01c1070f4dd19b67efd9abd0ef5fb1023bfb30c37310c932f2d9ab61d0acf87

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 5111374489959d64e55b5e104ab4e5b0
SHA1 3f76c62421acef80328923ca9820978cd6b93bad
SHA256 b62ebf499608b31b25ae2f5904aaecf658e91a93eff19720ce27672b650fec15
SHA512 2c67762ebbdec39d4155b0f98eaf82364516b9d325a89e0f2650ae5ce2babd89bde4b7492501b6d52ac2a484e1e7dfd29e11f2f2201a7c0839520cdb3db82d9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/4532-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4532-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4532-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4532-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4532-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4532-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4532-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4532-39-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 16:04

Reported

2024-04-15 16:07

Platform

win11-20240412-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\062346fb-d56a-4c7a-8405-9761b48807be\\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 704 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 704 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 704 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 704 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 704 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 704 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 704 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 704 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 704 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 704 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 2308 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Windows\SysWOW64\icacls.exe
PID 2308 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Windows\SysWOW64\icacls.exe
PID 2308 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Windows\SysWOW64\icacls.exe
PID 2308 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 2308 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 2308 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 4276 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 4276 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 4276 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 4276 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 4276 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 4276 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 4276 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 4276 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 4276 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe
PID 4276 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe

"C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe"

C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe

"C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\062346fb-d56a-4c7a-8405-9761b48807be" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe

"C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe

"C:\Users\Admin\AppData\Local\Temp\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.2:443 api.2ip.ua tcp
US 188.114.97.2:443 api.2ip.ua tcp
CO 179.33.180.97:80 sajdfue.com tcp
AL 95.107.163.44:80 sdfjhuz.com tcp
CO 179.33.180.97:80 sajdfue.com tcp
CO 179.33.180.97:80 sajdfue.com tcp
CO 179.33.180.97:80 sajdfue.com tcp
CO 179.33.180.97:80 sajdfue.com tcp
US 52.111.227.13:443 tcp

Files

memory/704-1-0x0000000004C40000-0x0000000004CDB000-memory.dmp

memory/704-2-0x0000000004CE0000-0x0000000004DFB000-memory.dmp

memory/2308-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2308-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2308-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2308-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\062346fb-d56a-4c7a-8405-9761b48807be\d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022.exe

MD5 bd9cc7d219c9c1b402e9e479077eb1fd
SHA1 2b13c4ba018730a0e90c150a44f3e7bc127b465f
SHA256 d5893c95779c8c742ae460319ac45f40b0d3d0d4e393875aa680ce0fc0237022
SHA512 72fd8443954d232ff385d1b96267f4d651963af97441fe8f8ea0500576bba90617ebe60d881e0ad502c4385db922bcdb0b04ff7893921550ab05ec8a1c5c0d56

memory/2308-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4276-20-0x0000000004AB0000-0x0000000004B4B000-memory.dmp

memory/1340-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1340-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1340-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 f741810cb830974aebab5f43eb80bc43
SHA1 1019ffd11ba07f662659b7f244d2743b4b1562c3
SHA256 20c4d592f763227cd6ed7fc812ae9d65edd6e046c30a70e7c694c579d9f1580a
SHA512 607ca542510b2a90fbade08569e449fdf35673dc4f045c4ca61982666fe2dd694d265835ebe2d90146dfcecedc7f229804c8e235d8eb9ca36f761064522539f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fdc24d44bcfa8b4ab8a9811e6268da5a
SHA1 76ec1b083314e142c6c49bf6516f402b30257536
SHA256 7575249158d653b287fa12064ec2c1f6f8c8257135585159cb3c77da900c3a11
SHA512 8ad20cdc7cf7ddd2d0a97205c72c2b13d5cd63889204b192bd66e1aa3be035d6a3060bd582836b5a9b8f1c537136b6b8b6033bf1bd5f6e7f240febfa8e3aa462

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 a95d8278087ccdcf8e8c2f9426c7b735
SHA1 51028b604ce7c9365b5b58c280540e6571997bb5
SHA256 057c2bde6ed7ade1099f54cddcde3169ff571e95ccb8877bfcdb39f250198b07
SHA512 40eeeee4fe4932b3f8595347eb24fe043e8a2f384b0ddc61528582caad8dd6672db33bf3013a34a90522c8f5c28b25257f7dc5ea0ec8c84435e3b961fff92696

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/1340-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1340-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1340-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1340-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1340-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1340-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1340-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1340-39-0x0000000000400000-0x0000000000537000-memory.dmp