Malware Analysis Report

2025-04-13 10:27

Sample ID 240415-ynptwsha61
Target 79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b
SHA256 79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b

Threat Level: Known bad

The file 79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Modifies file permissions

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 19:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 19:56

Reported

2024-04-15 19:58

Platform

win10v2004-20240412-en

Max time kernel

143s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\68012a70-3a11-4ed5-b6c2-ff58a39a1b12\\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4004 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 4004 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 4004 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 4004 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 4004 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 4004 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 4004 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 4004 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 4004 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 4004 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 2848 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Windows\SysWOW64\icacls.exe
PID 2848 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Windows\SysWOW64\icacls.exe
PID 2848 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Windows\SysWOW64\icacls.exe
PID 2848 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 2848 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 2848 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 812 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 812 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 812 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 812 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 812 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 812 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 812 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 812 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 812 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 812 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe

"C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe"

C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe

"C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\68012a70-3a11-4ed5-b6c2-ff58a39a1b12" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe

"C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe

"C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 sajdfue.com udp
MX 189.195.132.134:80 sajdfue.com tcp
LY 102.218.198.12:80 sdfjhuz.com tcp
MX 189.195.132.134:80 sajdfue.com tcp
US 8.8.8.8:53 12.198.218.102.in-addr.arpa udp
US 8.8.8.8:53 134.132.195.189.in-addr.arpa udp
MX 189.195.132.134:80 sajdfue.com tcp
MX 189.195.132.134:80 sajdfue.com tcp
MX 189.195.132.134:80 sajdfue.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

memory/4004-1-0x0000000004AF0000-0x0000000004B8A000-memory.dmp

memory/4004-2-0x0000000004B90000-0x0000000004CAB000-memory.dmp

memory/2848-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\68012a70-3a11-4ed5-b6c2-ff58a39a1b12\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe

MD5 cabc5d4f81025ea43f2477adb2e2627d
SHA1 f4273023a6efe7896d1f6ef9ba1ad5c04e7fe3a7
SHA256 79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b
SHA512 f97a6c0d32ed8bbdeacf29a1a9f84458bc26801b86504a90594652aef2cbce30cfc96407c453d171f1d3072a7e402bd26871f1fdd3e41e5a5143576b17e4ad4f

memory/2848-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/812-20-0x00000000049C0000-0x0000000004A53000-memory.dmp

memory/2188-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2188-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2188-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3c6a98dff2c8e5d41183fb934602bccf
SHA1 389eea4f6c8b9a19dd6efd65b2c979feeb4262a7
SHA256 8c5e90026091280487ae42d5c0f266528cacb6de18c7f3d693ecfdb547b06ac8
SHA512 fde8e5de812641dc896e8d8182dcf4244670e431f3310aba576f0f330a9d8a4221eb7513005e9755512d0c645cbf164c4c5f8872689d2e52a58b3f39668de8fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 5ef3c52b977a64e856381950e6ad7d14
SHA1 2f302e79ed27952c3d558fc8c44080a6308ddbb6
SHA256 3db56af8bcd35aef1f0942cd429003b135cd0c40c915ad43cdcaa9fa178649d0
SHA512 a0cf4c19c9b6c6185a967846fc7840bc1cd18cd05ba61775a1be795a771baf33d7add1df0b35a5dc6ad37808e6209ab7b027d465bb0e8e90191103596945e26e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 6b3319425a05670ca0e7a748830b9c33
SHA1 616704b9907bd8809a8cff8cdaea574b17b2eb64
SHA256 a1b0b92b65dbafded44431600167c09d14f41e524c680c6ea1f6f3ea78345914
SHA512 9f7049f5ea3aceeb333476fe4cf452ad6139c676379c11eb4c45fa22dd166b3515874176611a41ebbb86cdfad9ec407014f8ea4a306034fdfaa603b3e2169b62

memory/2188-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2188-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2188-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2188-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2188-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2188-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2188-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2188-39-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 19:56

Reported

2024-04-15 19:58

Platform

win11-20240412-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2db20583-a3a5-44bb-b1ae-fd0eebffe91c\\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 2040 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 2040 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 2040 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 2040 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 2040 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 2040 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 2040 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 2040 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 2040 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 4804 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Windows\SysWOW64\icacls.exe
PID 4804 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Windows\SysWOW64\icacls.exe
PID 4804 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Windows\SysWOW64\icacls.exe
PID 4804 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 4804 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 4804 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 1856 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 1856 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 1856 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 1856 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 1856 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 1856 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 1856 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 1856 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 1856 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe
PID 1856 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe

"C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe"

C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe

"C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\2db20583-a3a5-44bb-b1ae-fd0eebffe91c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe

"C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe

"C:\Users\Admin\AppData\Local\Temp\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
MX 189.195.132.134:80 sajdfue.com tcp
KR 123.140.161.243:80 sdfjhuz.com tcp
MX 189.195.132.134:80 sajdfue.com tcp
MX 189.195.132.134:80 sajdfue.com tcp
MX 189.195.132.134:80 sajdfue.com tcp
MX 189.195.132.134:80 sajdfue.com tcp

Files

memory/2040-1-0x0000000004BF0000-0x0000000004C8A000-memory.dmp

memory/2040-2-0x0000000004C90000-0x0000000004DAB000-memory.dmp

memory/4804-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4804-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4804-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4804-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\2db20583-a3a5-44bb-b1ae-fd0eebffe91c\79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b.exe

MD5 cabc5d4f81025ea43f2477adb2e2627d
SHA1 f4273023a6efe7896d1f6ef9ba1ad5c04e7fe3a7
SHA256 79147711755a81a678f0ae1de32757babf1ce43ad8f9375a36bfde621e86ed6b
SHA512 f97a6c0d32ed8bbdeacf29a1a9f84458bc26801b86504a90594652aef2cbce30cfc96407c453d171f1d3072a7e402bd26871f1fdd3e41e5a5143576b17e4ad4f

memory/4804-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1856-20-0x0000000004AB0000-0x0000000004B46000-memory.dmp

memory/1920-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1920-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1920-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 f387c740c473efe63d4032941654a5be
SHA1 f7282763258453833c4be2ddae471f3e920a5263
SHA256 81ac7d07ea325edb8c2de60894636507c7c9b0c83085d87834967c879b419136
SHA512 22c9592f91e6bc105040cb1081315d0d9b453363f908ea2fddd43737b995056f1290d58be83fb8e894713888129c0eb3d89b2f1c2dc21ab5fe2ad0677823dfdd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 c0a2510d40b44fc6b4a3348742653003
SHA1 b1653f2d804e63f8e1ac992d7e69c75125d26e13
SHA256 4f74e03bfa79c12f4d2b5f69e2d0e5eb79babce52a7b1636a5b8bac8239071cd
SHA512 2771108809fd3955ab158837204fb14b216c532e24b8065bceefdaf51c2330d409e07d5d3b4b1162ef70fc198e7b0e2b6fb2ed67dd7f97b6efb3ad2b8b50e43e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3c6a98dff2c8e5d41183fb934602bccf
SHA1 389eea4f6c8b9a19dd6efd65b2c979feeb4262a7
SHA256 8c5e90026091280487ae42d5c0f266528cacb6de18c7f3d693ecfdb547b06ac8
SHA512 fde8e5de812641dc896e8d8182dcf4244670e431f3310aba576f0f330a9d8a4221eb7513005e9755512d0c645cbf164c4c5f8872689d2e52a58b3f39668de8fd

memory/1920-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1920-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1920-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1920-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1920-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1920-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1920-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1920-39-0x0000000000400000-0x0000000000537000-memory.dmp