Malware Analysis Report

2024-10-23 16:23

Sample ID 240521-1xsy1sbg4t
Target d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458
SHA256 d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458

Threat Level: Known bad

The file d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Modifies file permissions

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 22:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 22:02

Reported

2024-05-21 22:04

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\811d6e58-b508-4e84-bede-57ef9501559b\\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3592 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 3592 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 3592 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 3592 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 3592 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 3592 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 3592 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 3592 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 3592 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 3592 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 2352 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Windows\SysWOW64\icacls.exe
PID 2352 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Windows\SysWOW64\icacls.exe
PID 2352 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Windows\SysWOW64\icacls.exe
PID 2352 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 2352 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 2352 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 2720 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 2720 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 2720 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 2720 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 2720 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 2720 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 2720 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 2720 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 2720 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 2720 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe

"C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe"

C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe

"C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\811d6e58-b508-4e84-bede-57ef9501559b" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe

"C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe

"C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
BR 186.233.231.45:80 cajgtus.com tcp
KR 125.7.253.10:80 sdfjhuz.com tcp
BR 186.233.231.45:80 cajgtus.com tcp
US 8.8.8.8:53 45.231.233.186.in-addr.arpa udp
US 8.8.8.8:53 10.253.7.125.in-addr.arpa udp
BR 186.233.231.45:80 cajgtus.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
BR 186.233.231.45:80 cajgtus.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
BR 186.233.231.45:80 cajgtus.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3592-1-0x0000000002660000-0x00000000026F7000-memory.dmp

memory/3592-2-0x00000000040A0000-0x00000000041BB000-memory.dmp

memory/2352-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2352-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2352-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2352-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\811d6e58-b508-4e84-bede-57ef9501559b\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe

MD5 a8a057d904ff939a2e74bc340391122e
SHA1 2f1c5113abda6750f790d1338b15232259b6a85c
SHA256 d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458
SHA512 bf7fe893d919d454202c7e4f4ac618af616c22db6938175466bd2b0251e9f2fff7f4b9b205e6ee9a28200faba4ad8194f13c82600b41f7225575913121aedd0e

memory/2352-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4840-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 a6ffbab822d6f4eff7d1ff98af31c3e0
SHA1 7bfe6d56f1e98a44ce5285c0526365eb0f3e9b54
SHA256 5ed08c765ec3bb2324fd93a60cd48bc4dd79e52299a5a1325d2e83a01d221ebd
SHA512 9a266413b6fbee770e0c34052acdbe2bf8e930b53994f3fc05251aaba7f26d3162f7787488510db419c0f7c44d2819050c0eb2ef087664c958cd85d458d43e9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a1d955617a4d146e70544d0d9a0390ca
SHA1 5ffdc4453b23e24a7cb0e634b26864c169f5257b
SHA256 8dbff2c0018158256912d87dd495a68c351303a319f50f204a930317e867aeb3
SHA512 0bffbc27638b12cc04f335de8c4f3c74df01ae55b56f389f8d046d797b4c62d31bbff057ea75ce32f67cdd3b878fd0aad3eb62e983f814296e1b94de3c6ba810

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 beaaa35e3efc28e1e2095491eed6c4f2
SHA1 da0106b518257b0fee1af489fb3274d71bd7268a
SHA256 2c01f986d15b03283c2a19198d736155d6ad1ff22c8edfb88d1fb76742aa7507
SHA512 5d63de2cf83c421830f1bcbb1d11696a696fdfc8eca54a51941097e48da6cbd823e5bf9c3f63074698afaec913fac284c665f8d63f05eed740876c4b800b3174

memory/4840-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4840-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4840-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4840-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4840-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4840-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4840-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4840-39-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 22:02

Reported

2024-05-21 22:04

Platform

win11-20240508-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\53fd561c-eef8-46b2-a745-f1bbef598a30\\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3716 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 3716 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 3716 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 3716 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 3716 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 3716 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 3716 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 3716 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 3716 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 3716 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 480 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Windows\SysWOW64\icacls.exe
PID 480 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Windows\SysWOW64\icacls.exe
PID 480 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Windows\SysWOW64\icacls.exe
PID 480 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 480 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 480 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 4848 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 4848 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 4848 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 4848 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 4848 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 4848 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 4848 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 4848 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 4848 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe
PID 4848 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe

"C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe"

C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe

"C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\53fd561c-eef8-46b2-a745-f1bbef598a30" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe

"C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe

"C:\Users\Admin\AppData\Local\Temp\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
BR 186.233.231.45:80 cajgtus.com tcp
SA 188.52.244.26:80 sdfjhuz.com tcp
BR 186.233.231.45:80 cajgtus.com tcp
BR 186.233.231.45:80 cajgtus.com tcp
BR 186.233.231.45:80 cajgtus.com tcp
BR 186.233.231.45:80 cajgtus.com tcp
US 52.111.229.19:443 tcp

Files

memory/3716-1-0x00000000025E0000-0x0000000002679000-memory.dmp

memory/3716-2-0x00000000042B0000-0x00000000043CB000-memory.dmp

memory/480-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/480-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/480-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/480-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\53fd561c-eef8-46b2-a745-f1bbef598a30\d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458.exe

MD5 a8a057d904ff939a2e74bc340391122e
SHA1 2f1c5113abda6750f790d1338b15232259b6a85c
SHA256 d83e1644b8554921261b610d2e3dd5e8de0153f550749bcbfc805cfbc3e4b458
SHA512 bf7fe893d919d454202c7e4f4ac618af616c22db6938175466bd2b0251e9f2fff7f4b9b205e6ee9a28200faba4ad8194f13c82600b41f7225575913121aedd0e

memory/480-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/328-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 0cb7015e93dc42b9f96423fda1e0313f
SHA1 5e8d7080eb2735474513778f91a0545c79222047
SHA256 0a5c1ec0b5fad59a0869f5f68ed31eadf4f62652911cd14936ecd3f788a3d478
SHA512 c2d156fce982f02b6326f093397dbcc8abd19abc263584cde07893c1233b2b82b13c972f98e45896a2dd2b44cc3d0e9bfbaaac550182b355a01d28fb234458a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a1d955617a4d146e70544d0d9a0390ca
SHA1 5ffdc4453b23e24a7cb0e634b26864c169f5257b
SHA256 8dbff2c0018158256912d87dd495a68c351303a319f50f204a930317e867aeb3
SHA512 0bffbc27638b12cc04f335de8c4f3c74df01ae55b56f389f8d046d797b4c62d31bbff057ea75ce32f67cdd3b878fd0aad3eb62e983f814296e1b94de3c6ba810

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 08544f9d19303a8518b07f4ed540937b
SHA1 3a99f3338df4edee14c8b74e83edd2e17cd16574
SHA256 10343036511eb97f78b69390b4047954c947aa5dbb1720510a57b9cc15d65533
SHA512 3dc1410432ad3505a485ae410fdf6417b063fa4ead090e048b273ecfb18e28b5f5ad314536e756f7cbf07ce9fe9d8a8a10f0284ca02aa5a0985346b8789379aa

memory/328-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/328-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/328-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/328-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/328-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/328-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/328-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/328-41-0x0000000000400000-0x0000000000537000-memory.dmp