Malware Analysis Report

2025-04-13 10:27

Sample ID 240416-aa7wjsdg7t
Target 2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138
SHA256 2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138

Threat Level: Known bad

The file 2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Modifies file permissions

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-16 00:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-16 00:01

Reported

2024-04-16 00:04

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\dafa3828-ae75-4115-83ce-b4cd1a24279c\\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 2292 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 2292 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 2292 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 2292 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 2292 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 2292 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 2292 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 2292 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 2292 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 60 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Windows\SysWOW64\icacls.exe
PID 60 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Windows\SysWOW64\icacls.exe
PID 60 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Windows\SysWOW64\icacls.exe
PID 60 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 60 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 60 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 5060 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 5060 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 5060 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 5060 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 5060 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 5060 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 5060 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 5060 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 5060 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 5060 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe

"C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe"

C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe

"C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\dafa3828-ae75-4115-83ce-b4cd1a24279c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe

"C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe

"C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 sajdfue.com udp
ZA 169.1.51.101:80 sajdfue.com tcp
PK 116.58.10.60:80 sdfjhuz.com tcp
ZA 169.1.51.101:80 sajdfue.com tcp
US 8.8.8.8:53 60.10.58.116.in-addr.arpa udp
US 8.8.8.8:53 101.51.1.169.in-addr.arpa udp
ZA 169.1.51.101:80 sajdfue.com tcp
ZA 169.1.51.101:80 sajdfue.com tcp
ZA 169.1.51.101:80 sajdfue.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 35.197.79.40.in-addr.arpa udp

Files

memory/2292-1-0x0000000004B30000-0x0000000004BC6000-memory.dmp

memory/2292-2-0x0000000004BD0000-0x0000000004CEB000-memory.dmp

memory/60-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/60-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/60-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/60-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\dafa3828-ae75-4115-83ce-b4cd1a24279c\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe

MD5 ebdd98ee7607a3d6300406ddcdb955b1
SHA1 659a2dd87be33c334fc153c9a7d6867f4beea607
SHA256 2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138
SHA512 d8f240d51c6ca1ddee7c1602cd397c39ddd4aab8d050bc454fdbbcb65b7663ab0f53708b981eb2daa8b85cfe5892242b8f575784409fb8795838647d6673e350

memory/60-15-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5060-18-0x0000000004A00000-0x0000000004A95000-memory.dmp

memory/4060-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4060-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4060-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3c6a98dff2c8e5d41183fb934602bccf
SHA1 389eea4f6c8b9a19dd6efd65b2c979feeb4262a7
SHA256 8c5e90026091280487ae42d5c0f266528cacb6de18c7f3d693ecfdb547b06ac8
SHA512 fde8e5de812641dc896e8d8182dcf4244670e431f3310aba576f0f330a9d8a4221eb7513005e9755512d0c645cbf164c4c5f8872689d2e52a58b3f39668de8fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 abd1057f75d426321573780e1e3e21cc
SHA1 528ae9bf35e5a85d7bfef9ed0d16d5f6b5ae8530
SHA256 86c102bc1032a57f161f0c27e196d6eec00622129e7919d9b9a793d4fe7a07d4
SHA512 adbfc0f380a03792bd09441b06bae4d0fb3c3030b3b3880f91fddce4dfdc774d220de770dffd7baabd3c8fea90659a810e9a9f3f73ff7069253ffef328fa3256

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 7a33b03ec4f6168285117dddd7b4f2b3
SHA1 2c4b71fc2713dba0efc0269cb45078c6b6eed50f
SHA256 fdc51462614302a924a8b5567df082c05d3750a90ec8f00933b3ab298a506625
SHA512 041ed3cb105c37f768be7b3ec089c5c63883eb2b29d9878b0c7c60d8f85cbf3b4184c06a579a91a8f6bf78b02716296c6957436a82e7b563e95d377656b9a52b

memory/4060-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4060-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4060-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4060-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4060-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4060-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4060-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4060-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-16 00:01

Reported

2024-04-16 00:04

Platform

win11-20240412-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4041115548-3858121278-1660933110-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0ec00c4b-da95-4020-b807-c94e2b29b681\\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3768 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 3768 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 3768 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 3768 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 3768 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 3768 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 3768 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 3768 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 3768 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 3768 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 4864 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Windows\SysWOW64\icacls.exe
PID 4864 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Windows\SysWOW64\icacls.exe
PID 4864 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Windows\SysWOW64\icacls.exe
PID 4864 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 4864 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 4864 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 3796 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 3796 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 3796 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 3796 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 3796 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 3796 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 3796 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 3796 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 3796 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe
PID 3796 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe

"C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe"

C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe

"C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\0ec00c4b-da95-4020-b807-c94e2b29b681" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe

"C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe

"C:\Users\Admin\AppData\Local\Temp\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
CO 190.145.136.42:80 sdfjhuz.com tcp
MX 189.181.27.55:80 sajdfue.com tcp
MX 189.181.27.55:80 sajdfue.com tcp
MX 189.181.27.55:80 sajdfue.com tcp
MX 189.181.27.55:80 sajdfue.com tcp
MX 189.181.27.55:80 sajdfue.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3768-1-0x0000000004C50000-0x0000000004CE8000-memory.dmp

memory/3768-2-0x0000000004CF0000-0x0000000004E0B000-memory.dmp

memory/4864-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4864-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4864-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4864-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\0ec00c4b-da95-4020-b807-c94e2b29b681\2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138.exe

MD5 ebdd98ee7607a3d6300406ddcdb955b1
SHA1 659a2dd87be33c334fc153c9a7d6867f4beea607
SHA256 2f75621a9d1b0e38358b5a1e21bf0ddddadb8a6a1d714d761efa77024241a138
SHA512 d8f240d51c6ca1ddee7c1602cd397c39ddd4aab8d050bc454fdbbcb65b7663ab0f53708b981eb2daa8b85cfe5892242b8f575784409fb8795838647d6673e350

memory/4864-15-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3796-18-0x00000000049C0000-0x0000000004A52000-memory.dmp

memory/3732-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3732-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3732-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 7a2fb411d906ae6341854d895b992a14
SHA1 01184db179b8feb2c0fa6d52b5c089b300ddf3b6
SHA256 2dbcc6b982c8a02447a4cd207f3f7cbad0d41768207745008506bbbd60cb22eb
SHA512 5bab14f5d25e721595faf663aedf07e093ad178955c5faf05fbf1833b126133b6067e6d766603c646f1d06ea8ff8ae5777aa004b0975fd67dc92b1516a977267

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3c6a98dff2c8e5d41183fb934602bccf
SHA1 389eea4f6c8b9a19dd6efd65b2c979feeb4262a7
SHA256 8c5e90026091280487ae42d5c0f266528cacb6de18c7f3d693ecfdb547b06ac8
SHA512 fde8e5de812641dc896e8d8182dcf4244670e431f3310aba576f0f330a9d8a4221eb7513005e9755512d0c645cbf164c4c5f8872689d2e52a58b3f39668de8fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 c41d6cb6f3d5f8f8e14fc56a16082509
SHA1 525fc197f9a2184a409d7b9482a2b84bb5b12559
SHA256 07dcd6c74759bdde38c94a294da42be5ae0e6aad23a3c1d486c800c28126d0a8
SHA512 0d67e253fff5444f7b9d72af3e3fc8a7cd8f670c4ae852c619df7b7eed775dedaee5095c09033e5c2f831a94514399481112bb366b53464285658758916199fd

memory/3732-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3732-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3732-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3732-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3732-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3732-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3732-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3732-37-0x0000000000400000-0x0000000000537000-memory.dmp