Malware Analysis Report

2025-04-13 10:27

Sample ID 240415-yx7fasfb24
Target 17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7
SHA256 17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7

Threat Level: Known bad

The file 17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 20:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 20:10

Reported

2024-04-15 20:13

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\042c1366-6bec-4955-8554-bb800766d376\\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4980 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 4980 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 4980 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 4980 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 4980 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 4980 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 4980 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 4980 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 4980 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 4980 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 936 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Windows\SysWOW64\icacls.exe
PID 936 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Windows\SysWOW64\icacls.exe
PID 936 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Windows\SysWOW64\icacls.exe
PID 936 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 936 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 936 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 1228 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 1228 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 1228 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 1228 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 1228 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 1228 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 1228 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 1228 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 1228 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 1228 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe

Processes

C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe

"C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe"

C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe

"C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\042c1366-6bec-4955-8554-bb800766d376" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe

"C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe

"C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 163.233.34.23.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 sajdfue.com udp
BG 93.152.141.65:80 sajdfue.com tcp
KR 211.171.233.129:80 sajdfue.com tcp
US 8.8.8.8:53 65.141.152.93.in-addr.arpa udp
BG 93.152.141.65:80 sajdfue.com tcp
US 8.8.8.8:53 129.233.171.211.in-addr.arpa udp
BG 93.152.141.65:80 sajdfue.com tcp
BG 93.152.141.65:80 sajdfue.com tcp
BG 93.152.141.65:80 sajdfue.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 98.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/4980-1-0x0000000002F50000-0x0000000002FEA000-memory.dmp

memory/4980-2-0x0000000004B90000-0x0000000004CAB000-memory.dmp

memory/936-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/936-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/936-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/936-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\042c1366-6bec-4955-8554-bb800766d376\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe

MD5 ee36df0a7d9721de85b8349377f67369
SHA1 18cd0b6d418a197201aedba334f0eab4e1be3723
SHA256 17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7
SHA512 a10b87ce926318bb45a3f2a2fc5eb1ad54e23b1da9d2928442738a1faff61bda891f1fbef69d47bde2b81ba0a39080bba8d2567231e6d5657ca923f725b5c84e

memory/936-15-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1228-18-0x0000000003080000-0x000000000311C000-memory.dmp

memory/3520-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3520-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3520-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 0cab1308acd4b5080e455f1fa8642f19
SHA1 daee820d6bdc2b8dfdc42b7d0986e8855bb93e46
SHA256 2c811f267d39ec944303497fb04a2e97a50b4c01ea3e9ef275fb4e1001477a18
SHA512 5d67941dfedefc2f8f2241c974c306207d0d0f2a9f7006918a4ca6643326b6f759fd5c83c9b18625e8ca85099f756dfd7a0839dba60a7211ffb5f609a91b982c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3c6a98dff2c8e5d41183fb934602bccf
SHA1 389eea4f6c8b9a19dd6efd65b2c979feeb4262a7
SHA256 8c5e90026091280487ae42d5c0f266528cacb6de18c7f3d693ecfdb547b06ac8
SHA512 fde8e5de812641dc896e8d8182dcf4244670e431f3310aba576f0f330a9d8a4221eb7513005e9755512d0c645cbf164c4c5f8872689d2e52a58b3f39668de8fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fa398882c00ca809b161d17426ba53cd
SHA1 94ac7ecc9c57aa8715b38fcdf197b843a76dfcdc
SHA256 6e0a2f8b5254db0c41f78a676ef522dc7ad231bb85bc4c04a0d42178c3bb9f7e
SHA512 42b13b57acf3801e65c493613dad09e02fe87a295215fc58a1acbc95fc419e41f0010c6bc9e0539f36c770732e3d13e4183020d7f6c9af8c9cec1d14b218c8ca

memory/3520-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3520-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3520-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3520-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3520-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3520-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3520-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3520-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 20:10

Reported

2024-04-15 20:13

Platform

win11-20240412-en

Max time kernel

153s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c69dc784-bafb-49c8-a502-bca4b7a562a9\\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 2612 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 2680 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Windows\SysWOW64\icacls.exe
PID 2680 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Windows\SysWOW64\icacls.exe
PID 2680 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Windows\SysWOW64\icacls.exe
PID 2680 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 2680 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 2680 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 3112 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 3112 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 3112 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 3112 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 3112 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 3112 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 3112 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 3112 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 3112 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe
PID 3112 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe

Processes

C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe

"C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe"

C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe

"C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c69dc784-bafb-49c8-a502-bca4b7a562a9" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe

"C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe

"C:\Users\Admin\AppData\Local\Temp\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
MX 189.232.19.193:80 sajdfue.com tcp
BG 95.158.162.200:80 sdfjhuz.com tcp
MX 189.232.19.193:80 sajdfue.com tcp
MX 189.232.19.193:80 sajdfue.com tcp
MX 189.232.19.193:80 sajdfue.com tcp
MX 189.232.19.193:80 sajdfue.com tcp

Files

memory/2612-1-0x0000000004C40000-0x0000000004CE0000-memory.dmp

memory/2612-2-0x0000000004CE0000-0x0000000004DFB000-memory.dmp

memory/2680-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2680-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2680-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2680-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\c69dc784-bafb-49c8-a502-bca4b7a562a9\17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7.exe

MD5 ee36df0a7d9721de85b8349377f67369
SHA1 18cd0b6d418a197201aedba334f0eab4e1be3723
SHA256 17e727162cf53ece1cc040d90840dfcc3d7dd2b5979979def35e1194045facd7
SHA512 a10b87ce926318bb45a3f2a2fc5eb1ad54e23b1da9d2928442738a1faff61bda891f1fbef69d47bde2b81ba0a39080bba8d2567231e6d5657ca923f725b5c84e

memory/2680-15-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3112-18-0x0000000004AB0000-0x0000000004B4C000-memory.dmp

memory/2976-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2976-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2976-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 cfbe320c23ee88abfd67493b796e5245
SHA1 77fbb013324570ba8e2f11b64e58ee6df74735d5
SHA256 8cc427bfc69ff233a888ce9851e8f6bd8df5ba1cc25514f6bac081a6417823c1
SHA512 d936e6ff0f537930faad890be0897a913545f583160c9886c91da1a0f4e2d94424bc017accc4bcebe9ff0ab124454907deee5e4202e91c855dfe6e67aafd1c35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3c6a98dff2c8e5d41183fb934602bccf
SHA1 389eea4f6c8b9a19dd6efd65b2c979feeb4262a7
SHA256 8c5e90026091280487ae42d5c0f266528cacb6de18c7f3d693ecfdb547b06ac8
SHA512 fde8e5de812641dc896e8d8182dcf4244670e431f3310aba576f0f330a9d8a4221eb7513005e9755512d0c645cbf164c4c5f8872689d2e52a58b3f39668de8fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3ccfdd600cd47e68bb29ccc645df19ad
SHA1 0286fa0a547236d2aea6ca8ec336341211a6d643
SHA256 ba0afb49d90eff2769fd2ff7d7aef0ae9c62a32ff7efd9d0c653aec1b795e803
SHA512 e4b6c4a82a01fab33eec004439bd67ae98003f7a0b632a83dd90d369ac9097ed3c2b735660baea3cb25ebcbf0ea2f2b764b58f19b6d0f4f2938319a162375287

memory/2976-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2976-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2976-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2976-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2976-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2976-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2976-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2976-37-0x0000000000400000-0x0000000000537000-memory.dmp