Malware Analysis Report

2025-04-13 10:27

Sample ID 240415-z9d5ysah3y
Target 5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3
SHA256 5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3

Threat Level: Known bad

The file 5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 21:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 21:24

Reported

2024-04-15 21:27

Platform

win10v2004-20240412-en

Max time kernel

131s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3ca97f8a-28c1-4b94-82ba-985358f5446d\\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4432 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4432 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4432 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4432 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4432 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4432 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4432 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4432 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4432 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4432 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4424 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Windows\SysWOW64\icacls.exe
PID 4424 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Windows\SysWOW64\icacls.exe
PID 4424 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Windows\SysWOW64\icacls.exe
PID 4424 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4424 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4424 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 2096 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 2096 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 2096 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 2096 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 2096 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 2096 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 2096 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 2096 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 2096 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 2096 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe

"C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe"

C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe

"C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\3ca97f8a-28c1-4b94-82ba-985358f5446d" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe

"C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe

"C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4120,i,7064649017625232947,17746804975634116675,262144 --variations-seed-version --mojo-platform-channel-handle=3836 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 163.233.34.23.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 169.125.209.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/4432-1-0x0000000002F50000-0x0000000002FF0000-memory.dmp

memory/4432-2-0x0000000004AB0000-0x0000000004BCB000-memory.dmp

memory/4424-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4424-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4424-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4424-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\3ca97f8a-28c1-4b94-82ba-985358f5446d\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe

MD5 3d18b4d0c8a37c764f5d1258c346988f
SHA1 406d89e9ada014fc30999b0e68ecffc3efb6c5a1
SHA256 5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3
SHA512 59b4d499cf80ab003f7fdb699dc0ccb26cd85676557f8e68172fd7381d36f66e5ab85a930eafa37e13e20298faf039e462f2385570aac810762b3e6cb93fd4c5

memory/4424-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2096-22-0x00000000049B0000-0x0000000004A4E000-memory.dmp

memory/4224-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4224-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4224-27-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 21:24

Reported

2024-04-15 21:27

Platform

win11-20240412-en

Max time kernel

143s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a867201c-7ce3-437f-90a0-031915e87e54\\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 556 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 556 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 556 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 556 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 556 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 556 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 556 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 556 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 556 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 556 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4196 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Windows\SysWOW64\icacls.exe
PID 4196 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Windows\SysWOW64\icacls.exe
PID 4196 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Windows\SysWOW64\icacls.exe
PID 4196 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4196 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4196 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4708 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4708 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4708 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4708 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4708 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4708 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4708 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4708 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4708 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe
PID 4708 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe

"C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe"

C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe

"C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\a867201c-7ce3-437f-90a0-031915e87e54" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe

"C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe

"C:\Users\Admin\AppData\Local\Temp\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
CL 201.236.158.115:80 sajdfue.com tcp
MX 189.143.136.126:80 sdfjhuz.com tcp
CL 201.236.158.115:80 sajdfue.com tcp
CL 201.236.158.115:80 sajdfue.com tcp
CL 201.236.158.115:80 sajdfue.com tcp
CL 201.236.158.115:80 sajdfue.com tcp

Files

memory/556-1-0x0000000004B00000-0x0000000004B99000-memory.dmp

memory/556-2-0x0000000004BA0000-0x0000000004CBB000-memory.dmp

memory/4196-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4196-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4196-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4196-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\a867201c-7ce3-437f-90a0-031915e87e54\5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3.exe

MD5 3d18b4d0c8a37c764f5d1258c346988f
SHA1 406d89e9ada014fc30999b0e68ecffc3efb6c5a1
SHA256 5d1e47acd2d476363bb2d47fc805e72d1636bbdaf3d2d9d90559a725add863e3
SHA512 59b4d499cf80ab003f7fdb699dc0ccb26cd85676557f8e68172fd7381d36f66e5ab85a930eafa37e13e20298faf039e462f2385570aac810762b3e6cb93fd4c5

memory/4196-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4708-23-0x0000000004AD0000-0x0000000004B65000-memory.dmp

memory/2780-26-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 3b7ba00b3b1bf5ab6776755cfa7308f6
SHA1 285ac79fdd8544a90a3798ce562050a7c8cd52f0
SHA256 acc75ea60727be07a50add794eb0b446a95cbc68bb743eb877f74d0b6bd5cfd1
SHA512 cd99a73b6a89d3194cb5d0414f9e95719d95dc301a332f30584ff4b65a15fea8272829cf42a985cc8b9acb8e67ef669ad6ddcefc2da552239083e386df88f0aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3c6a98dff2c8e5d41183fb934602bccf
SHA1 389eea4f6c8b9a19dd6efd65b2c979feeb4262a7
SHA256 8c5e90026091280487ae42d5c0f266528cacb6de18c7f3d693ecfdb547b06ac8
SHA512 fde8e5de812641dc896e8d8182dcf4244670e431f3310aba576f0f330a9d8a4221eb7513005e9755512d0c645cbf164c4c5f8872689d2e52a58b3f39668de8fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 5ef094b8f729b5932055d1183b4621be
SHA1 aef59e51a62465bbce63e05c5dd5a7ac50f842ac
SHA256 e60ba70d3690db7acc43d9baa21b5e4eb0df8e546a702a566e434c084f04040b
SHA512 90685e564003ed51e0cd98fc7fd7b30a186ce49761c78dc631864f5962097a44480aae2eec26d19fd3f49b75ab371e04ef03a25752315dfd026e9b5197562c7d

memory/2780-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4708-38-0x0000000004AD0000-0x0000000004B65000-memory.dmp

memory/2780-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-41-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-42-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-43-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-44-0x0000000000400000-0x0000000000537000-memory.dmp