Malware Analysis Report

2025-04-13 10:27

Sample ID 240416-cwgycsfb92
Target 9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651
SHA256 9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651

Threat Level: Known bad

The file 9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-16 02:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-16 02:25

Reported

2024-04-16 02:28

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9297c677-de07-47c4-8c93-629a13a84af4\\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 2044 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 2044 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 2044 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 2044 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 2044 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 2044 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 2044 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 2044 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 2044 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 788 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Windows\SysWOW64\icacls.exe
PID 788 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Windows\SysWOW64\icacls.exe
PID 788 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Windows\SysWOW64\icacls.exe
PID 788 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 788 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 788 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 4908 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 4908 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 4908 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 4908 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 4908 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 4908 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 4908 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 4908 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 4908 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 4908 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe

"C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe"

C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe

"C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\9297c677-de07-47c4-8c93-629a13a84af4" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe

"C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe

"C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 sajdfue.com udp
LY 102.218.198.12:80 sajdfue.com tcp
CO 181.55.190.201:80 sdfjhuz.com tcp
LY 102.218.198.12:80 sajdfue.com tcp
US 8.8.8.8:53 12.198.218.102.in-addr.arpa udp
US 8.8.8.8:53 201.190.55.181.in-addr.arpa udp
LY 102.218.198.12:80 sajdfue.com tcp
LY 102.218.198.12:80 sajdfue.com tcp
LY 102.218.198.12:80 sajdfue.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/2044-1-0x0000000004B00000-0x0000000004B9C000-memory.dmp

memory/2044-2-0x0000000004BA0000-0x0000000004CBB000-memory.dmp

memory/788-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/788-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/788-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/788-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\9297c677-de07-47c4-8c93-629a13a84af4\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe

MD5 6067c1f7658f5862dcce964ae8a9b049
SHA1 de1c58620017ed7f4c11b5cf00321aa203425b2f
SHA256 9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651
SHA512 5c863b1977ac2e742638d96b9933222b475338b8f79501edd35fded93790ef4f8391896d70f1aa3197a317a3821c06f654af05804e01f23d47c1208a873cf138

memory/788-15-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4908-18-0x0000000004A30000-0x0000000004AC3000-memory.dmp

memory/4544-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4544-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4544-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a796999c503d181cf67725ed32be3bfe
SHA1 61bed07e1ca6dd7325b65653307671f95cd943bc
SHA256 54a3267f8825a4819df16f5448a9829081f9030088a02fa981222b43ec0fb392
SHA512 5856964f0d0b6624577ce69751eab308994ef106eaf1de54fa4544caf362f4fbb94f99ceb4f9865746d01a9edce3dcdd685ad3767d761bdbf591ab20ec88081e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 eff8dce19955c6fb01ccfd0708a873ad
SHA1 7aec9eab87eadc8089697dfaa13ef53502f3e5d6
SHA256 1887e6641c2edc0f74eff7a0541ad57bb8aa15cc3d45f33326c059bdfb126546
SHA512 da4d75a8958a653abdbdbf58b557069db4bec3311b72230439e4f180e78736ee5358efd7c0da75373b49bed30438cc65f5776f4935cffd17d2bdaa5fbc50ce21

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 6871b34be2256b7e34f1f01de14e0290
SHA1 b30a4c79500987d1d932dce9e6457b241263df73
SHA256 9b9a7bfd8d11848c451dcadc2eea8fd5d14c9f76af5473f7cbc8648248649952
SHA512 8ab70305f7a83dcb63bc2b609a345965e705e4c2be19ecaa5b5b4a648f21c7ea039d6c1a97b1b7d6322b79a925b19159322a9f83f13a07886fbec7500bb45c18

memory/4544-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4544-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4544-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4544-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4544-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4544-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4544-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4544-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-16 02:25

Reported

2024-04-16 02:28

Platform

win11-20240412-en

Max time kernel

149s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0f63bfa3-f7b3-48cd-9836-665c8b5b173a\\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1032 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 1032 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 1032 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 1032 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 1032 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 1032 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 1032 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 1032 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 1032 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 1032 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 940 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Windows\SysWOW64\icacls.exe
PID 940 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Windows\SysWOW64\icacls.exe
PID 940 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Windows\SysWOW64\icacls.exe
PID 940 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 940 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 940 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 4704 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 4704 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 4704 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 4704 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 4704 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 4704 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 4704 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 4704 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 4704 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe
PID 4704 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe

"C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe"

C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe

"C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\0f63bfa3-f7b3-48cd-9836-665c8b5b173a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe

"C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe

"C:\Users\Admin\AppData\Local\Temp\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
ZA 169.1.51.101:80 sajdfue.com tcp
AR 186.13.17.220:80 sdfjhuz.com tcp
ZA 169.1.51.101:80 sajdfue.com tcp
ZA 169.1.51.101:80 sajdfue.com tcp
ZA 169.1.51.101:80 sajdfue.com tcp
ZA 169.1.51.101:80 sajdfue.com tcp

Files

memory/1032-1-0x0000000004C20000-0x0000000004CBD000-memory.dmp

memory/1032-2-0x0000000004CC0000-0x0000000004DDB000-memory.dmp

memory/940-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/940-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/940-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/940-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\0f63bfa3-f7b3-48cd-9836-665c8b5b173a\9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651.exe

MD5 6067c1f7658f5862dcce964ae8a9b049
SHA1 de1c58620017ed7f4c11b5cf00321aa203425b2f
SHA256 9e539d4a2fd02d296f715429a74074fe98d363e0332a41de4e03bcb445d28651
SHA512 5c863b1977ac2e742638d96b9933222b475338b8f79501edd35fded93790ef4f8391896d70f1aa3197a317a3821c06f654af05804e01f23d47c1208a873cf138

memory/940-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4704-21-0x0000000004AE0000-0x0000000004B74000-memory.dmp

memory/2304-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2304-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2304-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a796999c503d181cf67725ed32be3bfe
SHA1 61bed07e1ca6dd7325b65653307671f95cd943bc
SHA256 54a3267f8825a4819df16f5448a9829081f9030088a02fa981222b43ec0fb392
SHA512 5856964f0d0b6624577ce69751eab308994ef106eaf1de54fa4544caf362f4fbb94f99ceb4f9865746d01a9edce3dcdd685ad3767d761bdbf591ab20ec88081e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 dd5f4bac57a7606f516313488ecef873
SHA1 6b7851751edb738632d7eb5aaf6c7f909205da4b
SHA256 82aa3bd0e46e145590efbdc5916c42c0492f18022b71cba1c3d0470445619168
SHA512 3e8d9f1f1d076c596cea8bc750c031a976d059cb007f81075b07ec8ec9c1560d6b8d1148be6638a367c720e537b175fdee481cc71502f3d6f4832ef6f6bc714d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 a30642c639ac8507ccadc9c528d21cf3
SHA1 a1769303d52b21f6dd6eaec90438814fa9fb3d40
SHA256 be70ea33e19cdc215c2a02246aecea11251de83bb8b6e4d04eeac211b6c40840
SHA512 d010fc0c07dd1395bc39fbd2cb965223bd062555e9bb6d864ae7b99db593205815dfcad85093da3cd335153a52cabf113aa525b418b54a8fbb380aaf6f14b1f8

memory/2304-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2304-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2304-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2304-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2304-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2304-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2304-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2304-39-0x0000000000400000-0x0000000000537000-memory.dmp