Malware Analysis Report

2025-04-13 10:27

Sample ID 240416-e6ft6ahe45
Target 71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364
SHA256 71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364

Threat Level: Known bad

The file 71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-16 04:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-16 04:32

Reported

2024-04-16 04:35

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0c4848a0-d056-4bf9-821b-96f4bc6d743a\\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5060 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 5060 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 5060 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 5060 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 5060 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 5060 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 5060 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 5060 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 5060 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 5060 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 1472 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Windows\SysWOW64\icacls.exe
PID 1472 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Windows\SysWOW64\icacls.exe
PID 1472 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Windows\SysWOW64\icacls.exe
PID 1472 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 1472 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 1472 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 4488 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 4488 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 4488 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 4488 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 4488 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 4488 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 4488 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 4488 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 4488 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 4488 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe

Processes

C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe

"C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe"

C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe

"C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\0c4848a0-d056-4bf9-821b-96f4bc6d743a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe

"C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe

"C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 sajdfue.com udp
ZA 169.1.51.101:80 sajdfue.com tcp
PK 103.193.18.35:80 sdfjhuz.com tcp
ZA 169.1.51.101:80 sajdfue.com tcp
US 8.8.8.8:53 35.18.193.103.in-addr.arpa udp
US 8.8.8.8:53 101.51.1.169.in-addr.arpa udp
ZA 169.1.51.101:80 sajdfue.com tcp
ZA 169.1.51.101:80 sajdfue.com tcp
ZA 169.1.51.101:80 sajdfue.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/5060-1-0x0000000002F00000-0x0000000002F93000-memory.dmp

memory/5060-2-0x0000000004A30000-0x0000000004B4B000-memory.dmp

memory/1472-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1472-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1472-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1472-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\0c4848a0-d056-4bf9-821b-96f4bc6d743a\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe

MD5 d201b331c5953dd3271f84a687e893b4
SHA1 18f7ec36314d7eb2dfb695a1d6629ef17a45ba62
SHA256 71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364
SHA512 4d93d9d6876ee49fd9878ea0f35e09ba1798a33bad8d0b0a54696c48c8f9a147f57de7c9947f06fbdf4853a9a9161e06a167a3db4531ded9adbfa52de67741c0

memory/1472-15-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4488-18-0x0000000002FC0000-0x000000000305B000-memory.dmp

memory/2508-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2508-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2508-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 f83226d8b7744b693b9089e623b22664
SHA1 2472fe76b8d706ed072638ab5d03d71283defcdb
SHA256 40a2845cf337d027cf6ef2395855bdbab0f06398761053043ec7b3143402cb2e
SHA512 97530a24fff295273d2d5f202c97a327e8c9c174691bc21970c03d4b695f2b661554ff69c56f8ec88cbf759e0fb127caa441b477ea85e1a977d35838dada6003

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 77fff4010e48018b867bb350fb78b7c2
SHA1 31b0dfcc0b92a789cd5c94dbf8d0f5aca820ed31
SHA256 3e95094f49fea7951fb5ea5551a8b344c1ec16ddaf4f5da7b6bfe1151afa9ee5
SHA512 78a8fc7de1b3cbbc2225790bf55fd64b3c7fa922b4601dcbb1103cc12491da71ebae1eebfaa3a2ce2e0b3b3a7b7229dd448012c23a707f84aae8fe0e996c7e89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b3b455ac23970e6752a0845e70df81ce
SHA1 b1edc1e89a93421dd6e12441b5383c8f9d231272
SHA256 8d20183789e2a2bbdaa48b2c78aa287abd8ed33e935942862755eaf0259d2c30
SHA512 1b08ded060db3f95330f0b6c14373c8ef9ada68153f4ef766d9802c79ae0d9cfcb8c9473e63f12ddbdfc63cb76a840c6d00c6fdf28110b39b748e50332a85fd1

memory/2508-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2508-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2508-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2508-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2508-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2508-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2508-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2508-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-16 04:32

Reported

2024-04-16 04:35

Platform

win11-20240412-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b590dbf0-80f1-456f-aff1-230e3d952627\\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3352 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 3352 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 3352 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 3352 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 3352 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 3352 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 3352 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 3352 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 3352 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 3352 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 4840 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Windows\SysWOW64\icacls.exe
PID 4840 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Windows\SysWOW64\icacls.exe
PID 4840 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Windows\SysWOW64\icacls.exe
PID 4840 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 4840 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 4840 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 2216 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 2216 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 2216 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 2216 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 2216 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 2216 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 2216 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 2216 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 2216 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe
PID 2216 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe

Processes

C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe

"C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe"

C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe

"C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\b590dbf0-80f1-456f-aff1-230e3d952627" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe

"C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe

"C:\Users\Admin\AppData\Local\Temp\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
MX 201.119.119.155:80 sdfjhuz.com tcp
KR 211.181.24.132:80 sajdfue.com tcp
KR 211.181.24.132:80 sajdfue.com tcp
KR 211.181.24.132:80 sajdfue.com tcp
KR 211.181.24.132:80 sajdfue.com tcp
KR 211.181.24.132:80 sajdfue.com tcp

Files

memory/3352-1-0x0000000002F90000-0x0000000003032000-memory.dmp

memory/3352-2-0x0000000004A90000-0x0000000004BAB000-memory.dmp

memory/4840-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4840-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4840-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4840-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\b590dbf0-80f1-456f-aff1-230e3d952627\71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364.exe

MD5 d201b331c5953dd3271f84a687e893b4
SHA1 18f7ec36314d7eb2dfb695a1d6629ef17a45ba62
SHA256 71d99e9227e443da504412e4ead3349451b1205e302e3c5900040c226516b364
SHA512 4d93d9d6876ee49fd9878ea0f35e09ba1798a33bad8d0b0a54696c48c8f9a147f57de7c9947f06fbdf4853a9a9161e06a167a3db4531ded9adbfa52de67741c0

memory/4840-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2216-20-0x0000000002E80000-0x0000000002F1F000-memory.dmp

memory/2148-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2148-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2148-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 77fff4010e48018b867bb350fb78b7c2
SHA1 31b0dfcc0b92a789cd5c94dbf8d0f5aca820ed31
SHA256 3e95094f49fea7951fb5ea5551a8b344c1ec16ddaf4f5da7b6bfe1151afa9ee5
SHA512 78a8fc7de1b3cbbc2225790bf55fd64b3c7fa922b4601dcbb1103cc12491da71ebae1eebfaa3a2ce2e0b3b3a7b7229dd448012c23a707f84aae8fe0e996c7e89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3b54db73024a1b2367f67c0831f8c926
SHA1 937636f43594602a4c474b4d55720ea808c8781e
SHA256 674c176ae6c9cb5ebf5dede4da1de6b7bcde4cd0dc15313dc94cfc15d74227d2
SHA512 984908f27fe007ed5df9ce9c89b8b8043e4264e441b00d6658d10d38b9d2ed4363e806dcc4fe0b76895194e0e32197571e661ece52e9103683dc4f64e81831d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 3f1c31c7ee904fc443740315cd6a640a
SHA1 a6529bdd6a64376f2c8667d8a291ebd8f1802f9a
SHA256 d1942e3921c03b7fd20a308aceda293c71c61a2beb34638dd61b95f1c088d190
SHA512 7073e45cb948165bf1fc04fe2ebb183e17a4b093412e42f84c5881a18e5d868bb44caeb377f12dab1608d630a3790badcdc99847eb51427b885b7358201910c7

memory/2148-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2148-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2148-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2148-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2148-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2148-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2148-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2148-39-0x0000000000400000-0x0000000000537000-memory.dmp