Malware Analysis Report

2025-04-13 10:27

Sample ID 240415-x2l5gsdh99
Target 56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525
SHA256 56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525

Threat Level: Known bad

The file 56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 19:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 19:21

Reported

2024-04-15 19:23

Platform

win10v2004-20240412-en

Max time kernel

143s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8d376c37-2cac-475a-a0b6-4652508c9ca7\\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 1776 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 1776 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 1776 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 1776 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 1776 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 1776 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 1776 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 1776 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 1776 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 2364 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Windows\SysWOW64\icacls.exe
PID 2364 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Windows\SysWOW64\icacls.exe
PID 2364 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Windows\SysWOW64\icacls.exe
PID 2364 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 2364 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 2364 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 2704 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 2704 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 2704 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 2704 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 2704 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 2704 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 2704 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 2704 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 2704 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 2704 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe

Processes

C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe

"C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe"

C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe

"C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\8d376c37-2cac-475a-a0b6-4652508c9ca7" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe

"C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe

"C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 sajdfue.com udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
CL 190.13.174.91:80 sdfjhuz.com tcp
MX 148.230.249.9:80 sajdfue.com tcp
MX 148.230.249.9:80 sajdfue.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.249.230.148.in-addr.arpa udp
US 8.8.8.8:53 91.174.13.190.in-addr.arpa udp
MX 148.230.249.9:80 sajdfue.com tcp
MX 148.230.249.9:80 sajdfue.com tcp
MX 148.230.249.9:80 sajdfue.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 131.83.221.88.in-addr.arpa udp

Files

memory/1776-1-0x00000000049D0000-0x0000000004A6F000-memory.dmp

memory/1776-2-0x0000000004A70000-0x0000000004B8B000-memory.dmp

memory/2364-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2364-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2364-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2364-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\8d376c37-2cac-475a-a0b6-4652508c9ca7\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe

MD5 b1e4c479c6bfc09e7af5e586b47a5215
SHA1 a5fed6e61786e5042ffcea44250078f0bab868c5
SHA256 56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525
SHA512 f1a46d9d8e1485ea37d29ede20fc2c2c7a7765b27f69e8d366956ca5f675bf7f69d9e0e3f5fb2a2bdc72b16499323a8c3908e2416fc26d9b572fc1fa643227e2

memory/2364-15-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2704-18-0x00000000049E0000-0x0000000004A7C000-memory.dmp

memory/4060-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4060-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4060-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 73b54c0286039b6816bae576296dcde1
SHA1 6469d4989412faa90f12e80d323b4ea3c5ef1805
SHA256 d941ce0d238c69b04519eaa36101f47f1247c64cd2f183159ddacd90670b7325
SHA512 c81f618aa327feea57578248a14d876a8ff7bd91dea7617b75ce443a9eacd68515bd5228c32ab6b43cccb13a27346035d09f77f85845234858e7af59a8bb869f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3c6a98dff2c8e5d41183fb934602bccf
SHA1 389eea4f6c8b9a19dd6efd65b2c979feeb4262a7
SHA256 8c5e90026091280487ae42d5c0f266528cacb6de18c7f3d693ecfdb547b06ac8
SHA512 fde8e5de812641dc896e8d8182dcf4244670e431f3310aba576f0f330a9d8a4221eb7513005e9755512d0c645cbf164c4c5f8872689d2e52a58b3f39668de8fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 de9de9bc2d926d063f2698043c43715b
SHA1 6f2677e481ac4b1af9d9ff7e2131e6638bf8105a
SHA256 3473a45716e6c0a5d9582dff84a36d301f3d48c5db5f1d50e5ff5efdf701f25e
SHA512 935a89d78a1e6d39944bbf33d11d6529aa947b9df9b7b85fb59e141612e331c2e9c4bfc53f49621f02114499a9d191ecc98e5a6ed10eeb2c37d86aa82a607456

memory/4060-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4060-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4060-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4060-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4060-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4060-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4060-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4060-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 19:21

Reported

2024-04-15 19:23

Platform

win11-20240412-en

Max time kernel

146s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\21208da0-5cf5-478a-856b-e2a4cb001de4\\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 496 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 496 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 496 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 496 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 496 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 496 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 496 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 496 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 496 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 496 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 1204 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Windows\SysWOW64\icacls.exe
PID 1204 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Windows\SysWOW64\icacls.exe
PID 1204 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Windows\SysWOW64\icacls.exe
PID 1204 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 1204 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 1204 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 4384 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 4384 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 4384 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 4384 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 4384 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 4384 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 4384 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 4384 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 4384 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe
PID 4384 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe

Processes

C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe

"C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe"

C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe

"C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\21208da0-5cf5-478a-856b-e2a4cb001de4" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe

"C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe

"C:\Users\Admin\AppData\Local\Temp\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
MX 187.143.46.11:80 sajdfue.com tcp
JM 63.143.98.185:80 sdfjhuz.com tcp
MX 187.143.46.11:80 sajdfue.com tcp
MX 187.143.46.11:80 sajdfue.com tcp
MX 187.143.46.11:80 sajdfue.com tcp
MX 187.143.46.11:80 sajdfue.com tcp

Files

memory/496-1-0x0000000004BF0000-0x0000000004C84000-memory.dmp

memory/496-2-0x0000000004C90000-0x0000000004DAB000-memory.dmp

memory/1204-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1204-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1204-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1204-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\21208da0-5cf5-478a-856b-e2a4cb001de4\56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525.exe

MD5 b1e4c479c6bfc09e7af5e586b47a5215
SHA1 a5fed6e61786e5042ffcea44250078f0bab868c5
SHA256 56f554a175f5888a9bfb3cc17e3f010f2617f1e5d087601cc08781110e794525
SHA512 f1a46d9d8e1485ea37d29ede20fc2c2c7a7765b27f69e8d366956ca5f675bf7f69d9e0e3f5fb2a2bdc72b16499323a8c3908e2416fc26d9b572fc1fa643227e2

memory/1204-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4384-20-0x0000000004AB0000-0x0000000004B43000-memory.dmp

memory/3916-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3916-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3916-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 993dfecfbdc32b7a445dcb0e01cce568
SHA1 6ecda68d263e956bdefbc7c278f72753072ed859
SHA256 ef1b6364a91ec68caf63a578865a0e0841ecc578748b6538ffc9a3b4f4553591
SHA512 aa093a77247c1af4a86da5dc07a664a25da3c446b26a721b60b5e9f36219a14a2a860a94728c6237488cb8e615d93e1631e2dc2efc3a2079795fafd07ca90e4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3c6a98dff2c8e5d41183fb934602bccf
SHA1 389eea4f6c8b9a19dd6efd65b2c979feeb4262a7
SHA256 8c5e90026091280487ae42d5c0f266528cacb6de18c7f3d693ecfdb547b06ac8
SHA512 fde8e5de812641dc896e8d8182dcf4244670e431f3310aba576f0f330a9d8a4221eb7513005e9755512d0c645cbf164c4c5f8872689d2e52a58b3f39668de8fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 f11dea827f922440f712d952a9cc0913
SHA1 99997fdcce6b9ddc9de1a2e6d033264dbcca7a5a
SHA256 713dddaa567c1afb2ed49cdba976a0a85fe4479b4b11a296d12793f3afac8080
SHA512 d72a67f26c57be73da43f0e499ca88bc338a78de2fff5d4c9f0e5e961c15ff47aa33c04beab11dcc6c68c387179f539dbd04fd4642be8a9acdfcc1e8114f7520

memory/3916-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3916-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3916-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3916-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3916-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3916-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3916-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3916-39-0x0000000000400000-0x0000000000537000-memory.dmp