Malware Analysis Report

2025-04-13 10:27

Sample ID 240415-yws7aahc4y
Target e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4
SHA256 e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4

Threat Level: Known bad

The file e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 20:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 20:08

Reported

2024-04-15 20:11

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f1eb81a6-adc4-48bd-b741-3ac08f5f5afe\\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3008 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3008 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3008 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3008 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3008 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3008 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3008 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3008 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3008 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 2632 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Windows\SysWOW64\icacls.exe
PID 2632 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Windows\SysWOW64\icacls.exe
PID 2632 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Windows\SysWOW64\icacls.exe
PID 2632 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 2632 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 2632 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3276 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3276 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3276 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3276 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3276 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3276 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3276 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3276 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3276 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3276 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe

"C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe"

C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe

"C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f1eb81a6-adc4-48bd-b741-3ac08f5f5afe" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe

"C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe

"C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
MX 187.211.179.167:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
MX 189.232.19.193:80 sajdfue.com tcp
MX 189.232.19.193:80 sajdfue.com tcp
US 8.8.8.8:53 167.179.211.187.in-addr.arpa udp
US 8.8.8.8:53 193.19.232.189.in-addr.arpa udp
MX 189.232.19.193:80 sajdfue.com tcp
MX 189.232.19.193:80 sajdfue.com tcp
MX 189.232.19.193:80 sajdfue.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/3008-1-0x0000000004AF0000-0x0000000004B8E000-memory.dmp

memory/3008-2-0x0000000004B90000-0x0000000004CAB000-memory.dmp

memory/2632-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2632-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2632-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2632-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\f1eb81a6-adc4-48bd-b741-3ac08f5f5afe\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe

MD5 bd5b5a965a4c6686b45ab1b04308f846
SHA1 299acc22ef2a984a551742e0932180388f05c1df
SHA256 e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4
SHA512 4ec023c1261e5b6c0f92053df7a0fdfbbd9231463b6f130ba8327e7cfc34b1d97b1c123975c44155c569b040e78cd29a4958c6fcda94b3acca95153d1098cad7

memory/2632-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3276-20-0x0000000004A00000-0x0000000004A99000-memory.dmp

memory/3224-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3224-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3224-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fce7387f11f2fb2cfc031209f2f542d9
SHA1 25ada36a9a24dc962f5a7838e436ddbbaea684fd
SHA256 279b27327d25cd7f1b97a04d9b30c3f31a05f6fe9839bc9329fc471015d121be
SHA512 2e786736cce39251e61ea8499ee2f66c2918ad48164f6cd6eed181f7d32467a91e60ef7b47ba3aad0f0e570bea02b2cf8ccb01f89d2bf7e3dc44eb6eeda68791

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3c6a98dff2c8e5d41183fb934602bccf
SHA1 389eea4f6c8b9a19dd6efd65b2c979feeb4262a7
SHA256 8c5e90026091280487ae42d5c0f266528cacb6de18c7f3d693ecfdb547b06ac8
SHA512 fde8e5de812641dc896e8d8182dcf4244670e431f3310aba576f0f330a9d8a4221eb7513005e9755512d0c645cbf164c4c5f8872689d2e52a58b3f39668de8fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 492823775aaafff1544ac89dc17c8943
SHA1 24862048fe7a99ccbe04241ba1f1ba9f7088f137
SHA256 000516528fdf112e5a835abb2b3baf2affad6afcefff63b24923e3946014bd24
SHA512 4b5f0883f128ff7261674da8e9ad9e9cac5715fdab3bfe0791b79159802e3f6756dc1a40fb19e6d4ea313d8933e7f19e34353c230272fac5d1c3b351e056056b

memory/3224-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3224-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3224-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3224-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3224-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3224-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3224-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3224-39-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 20:08

Reported

2024-04-15 20:11

Platform

win11-20240412-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c9b519f1-26e4-4524-a3b1-07cae1dda016\\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4816 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 4816 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 4816 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 4816 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 4816 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 4816 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 4816 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 4816 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 4816 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 4816 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 1380 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Windows\SysWOW64\icacls.exe
PID 1380 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Windows\SysWOW64\icacls.exe
PID 1380 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Windows\SysWOW64\icacls.exe
PID 1380 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 1380 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 1380 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3580 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3580 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3580 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3580 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3580 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3580 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3580 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3580 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3580 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe
PID 3580 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe

"C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe"

C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe

"C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c9b519f1-26e4-4524-a3b1-07cae1dda016" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe

"C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe

"C:\Users\Admin\AppData\Local\Temp\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
MK 95.86.30.3:80 sajdfue.com tcp
MX 187.211.179.167:80 sdfjhuz.com tcp
MK 95.86.30.3:80 sajdfue.com tcp
MK 95.86.30.3:80 sajdfue.com tcp
MK 95.86.30.3:80 sajdfue.com tcp
MK 95.86.30.3:80 sajdfue.com tcp

Files

memory/4816-1-0x0000000004C20000-0x0000000004CC2000-memory.dmp

memory/4816-2-0x0000000004CD0000-0x0000000004DEB000-memory.dmp

memory/1380-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1380-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1380-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1380-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\c9b519f1-26e4-4524-a3b1-07cae1dda016\e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4.exe

MD5 bd5b5a965a4c6686b45ab1b04308f846
SHA1 299acc22ef2a984a551742e0932180388f05c1df
SHA256 e27f72f9af46b84ad025e906084ae71a8581ca4f633331454f51cde2692c54d4
SHA512 4ec023c1261e5b6c0f92053df7a0fdfbbd9231463b6f130ba8327e7cfc34b1d97b1c123975c44155c569b040e78cd29a4958c6fcda94b3acca95153d1098cad7

memory/1380-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3580-21-0x0000000004B60000-0x0000000004BFD000-memory.dmp

memory/4544-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4544-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4544-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 e9bd1ca32dd612d1668f9eb814361200
SHA1 706d3fc7f06694f17cecd0f508c1cb2cf8b18ddc
SHA256 152aa3e69a1d0e505d85273fe4facf507e4403cb759574ad5e678fc8babe3c0a
SHA512 9729915ab4e96a630a3499ce83a310c77121bd24335563ee0ffc0c605d1067100bde609a5fea88112629a1b0522b64432bc7f40d130598186a94bc741258079f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3c6a98dff2c8e5d41183fb934602bccf
SHA1 389eea4f6c8b9a19dd6efd65b2c979feeb4262a7
SHA256 8c5e90026091280487ae42d5c0f266528cacb6de18c7f3d693ecfdb547b06ac8
SHA512 fde8e5de812641dc896e8d8182dcf4244670e431f3310aba576f0f330a9d8a4221eb7513005e9755512d0c645cbf164c4c5f8872689d2e52a58b3f39668de8fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 8f019f59ff3327706c8cfa0ea394bec0
SHA1 7d611e5d801424c4e5f20ade81b7419f0edaa973
SHA256 88daa9462d0844f6023b4429b41bd40965bc39533ebc12388fb411186f5ba610
SHA512 874468930a555d7033ca62f3aee2948c853fdeeba9117ccac471a0d9f9b35fd7ba4b20fca2dac92ffd6e0ef49028e58b98e5730d388fb0937773c3dbfd98fe87

memory/4544-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4544-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4544-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4544-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4544-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4544-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4544-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4544-39-0x0000000000400000-0x0000000000537000-memory.dmp