Malware Analysis Report

2025-04-13 10:27

Sample ID 240416-fh99jahh45
Target 079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1
SHA256 079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1

Threat Level: Known bad

The file 079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-16 04:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-16 04:53

Reported

2024-04-16 04:56

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\defa9bd9-3b12-4647-a2b7-3220d44d4825\\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 2872 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 2872 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 2872 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 2872 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 2872 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 2872 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 2872 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 2872 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 2872 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 408 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Windows\SysWOW64\icacls.exe
PID 408 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Windows\SysWOW64\icacls.exe
PID 408 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Windows\SysWOW64\icacls.exe
PID 408 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 408 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 408 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 1008 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 1008 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 1008 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 1008 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 1008 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 1008 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 1008 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 1008 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 1008 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 1008 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe

"C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe"

C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe

"C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\defa9bd9-3b12-4647-a2b7-3220d44d4825" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe

"C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe

"C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 sajdfue.com udp
BA 109.175.29.39:80 sajdfue.com tcp
EG 102.189.42.190:80 sdfjhuz.com tcp
BA 109.175.29.39:80 sajdfue.com tcp
US 8.8.8.8:53 39.29.175.109.in-addr.arpa udp
US 8.8.8.8:53 190.42.189.102.in-addr.arpa udp
BA 109.175.29.39:80 sajdfue.com tcp
BA 109.175.29.39:80 sajdfue.com tcp
BA 109.175.29.39:80 sajdfue.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 72.239.69.13.in-addr.arpa udp

Files

memory/2872-2-0x00000000049B0000-0x0000000004ACB000-memory.dmp

memory/2872-1-0x0000000002F70000-0x0000000003007000-memory.dmp

memory/408-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/408-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/408-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/408-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\defa9bd9-3b12-4647-a2b7-3220d44d4825\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe

MD5 206a5afb1adfaf0ecfbbf8f5bfe115bf
SHA1 a120c4114ba234c9ee917a7acdabb2ef94db435f
SHA256 079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1
SHA512 b1c926e56d91fe61e8d896539f11641876d796d6417c87b468cd6d5af10cf293d61ad324bad328d795e8a5ab213b07202d0a077e38548a5a88d33cf500088e35

memory/408-15-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1008-18-0x0000000002DB0000-0x0000000002E4A000-memory.dmp

memory/3132-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3132-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3132-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e86d1b9357a15ede81173986bc4aeb50
SHA1 61dcb2d6c3935fdf50d3f9104a3081ea6a7eab98
SHA256 fbf3b0d542a2b43d7bacde76ff89c48f34572eb10b62ed09b6cc3f78df9e249c
SHA512 09e65374f515aee045abbee6c056da2999e7da21b5ae563801f52cf5bbbbf6741f1f1fbe928235f47efd39a92c4868f32a6b3114a817901e860c38746ac0fcfe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 77fff4010e48018b867bb350fb78b7c2
SHA1 31b0dfcc0b92a789cd5c94dbf8d0f5aca820ed31
SHA256 3e95094f49fea7951fb5ea5551a8b344c1ec16ddaf4f5da7b6bfe1151afa9ee5
SHA512 78a8fc7de1b3cbbc2225790bf55fd64b3c7fa922b4601dcbb1103cc12491da71ebae1eebfaa3a2ce2e0b3b3a7b7229dd448012c23a707f84aae8fe0e996c7e89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 83f9f1d6465c1c04b90953a67e33e3e3
SHA1 55761ec5315e70df9a6df56bbee638160a256c98
SHA256 2e25e9f480046e9ece4054d6045f9802026e631758fa18e90fd86d9f48b60836
SHA512 248b3a4fdbcad70e5232fd88858ade04e975fdbb2e21f4e58da7fef579fb46d08198d08ef47715d061fef84ef2712c70632278f407742cc3929518018fed0f55

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/3132-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3132-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3132-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3132-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3132-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3132-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3132-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3132-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-16 04:53

Reported

2024-04-16 04:56

Platform

win11-20240412-en

Max time kernel

148s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8bcd94de-eec6-416b-b842-8c070dbe8662\\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 2424 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 2424 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 2424 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 2424 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 2424 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 2424 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 2424 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 2424 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 2424 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 5116 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Windows\SysWOW64\icacls.exe
PID 5116 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Windows\SysWOW64\icacls.exe
PID 5116 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Windows\SysWOW64\icacls.exe
PID 5116 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 5116 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 5116 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 3180 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 3180 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 3180 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 3180 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 3180 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 3180 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 3180 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 3180 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 3180 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe
PID 3180 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe

"C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe"

C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe

"C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\8bcd94de-eec6-416b-b842-8c070dbe8662" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe

"C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe

"C:\Users\Admin\AppData\Local\Temp\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
CO 179.33.180.97:80 sdfjhuz.com tcp
AR 186.182.55.44:80 sajdfue.com tcp
AR 186.182.55.44:80 sajdfue.com tcp
AR 186.182.55.44:80 sajdfue.com tcp
AR 186.182.55.44:80 sajdfue.com tcp
AR 186.182.55.44:80 sajdfue.com tcp

Files

memory/2424-1-0x0000000002F80000-0x0000000003013000-memory.dmp

memory/2424-2-0x0000000004BB0000-0x0000000004CCB000-memory.dmp

memory/5116-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5116-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5116-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5116-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\8bcd94de-eec6-416b-b842-8c070dbe8662\079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1.exe

MD5 206a5afb1adfaf0ecfbbf8f5bfe115bf
SHA1 a120c4114ba234c9ee917a7acdabb2ef94db435f
SHA256 079f10750f5b73ec99eba7b32dd71dc92781a6d612628ee00c6e234135c37fb1
SHA512 b1c926e56d91fe61e8d896539f11641876d796d6417c87b468cd6d5af10cf293d61ad324bad328d795e8a5ab213b07202d0a077e38548a5a88d33cf500088e35

memory/5116-15-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3180-19-0x0000000002FB0000-0x000000000304F000-memory.dmp

memory/4976-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4976-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4976-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 e537a3ae61220b4ed6bf76d7fbc5f59a
SHA1 f8f5ceae89c25db96b2c14183e83ae1b0677aa1c
SHA256 d563ce1280d4226c96832ff84dae2d420921426257ad1f89b91afb0305f2f5f8
SHA512 2f4e298b780b93a05d0146e621c4b22f06848f75d2a7a40ce9627b0f2c73c242db7ecea9a85806e052b09b72444b335e5d77882e1a32aaddfbb28883f65efdf4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 77fff4010e48018b867bb350fb78b7c2
SHA1 31b0dfcc0b92a789cd5c94dbf8d0f5aca820ed31
SHA256 3e95094f49fea7951fb5ea5551a8b344c1ec16ddaf4f5da7b6bfe1151afa9ee5
SHA512 78a8fc7de1b3cbbc2225790bf55fd64b3c7fa922b4601dcbb1103cc12491da71ebae1eebfaa3a2ce2e0b3b3a7b7229dd448012c23a707f84aae8fe0e996c7e89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 c66ab054838ce08a0d1fea95971415a7
SHA1 5fec7bd7c8a0ebfb561e079da1c65bf536967894
SHA256 7b5270a0bb5e94ac3b86a60a573ea7f7ecd38fc83f16ed0b25445904d69ac19e
SHA512 1e40319dd8580a879d58ed749bcc9bc207e74de60c2f23dbf37d5aee65e47cbba0bff1b3c3a6e09d8aac7e190ea070d82bcbb7a8e0ae56f3030590d269f776ec

memory/4976-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4976-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4976-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4976-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4976-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4976-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4976-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4976-37-0x0000000000400000-0x0000000000537000-memory.dmp