Malware Analysis Report

2024-10-23 16:23

Sample ID 240521-p7fkwsef42
Target d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697
SHA256 d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697

Threat Level: Known bad

The file d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Modifies file permissions

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 12:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 12:57

Reported

2024-05-21 13:00

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\61e90a1c-ce1a-412b-9a07-2a04475cd375\\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 712 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 712 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 712 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 712 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 712 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 712 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 712 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 712 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 712 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 712 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 4532 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Windows\SysWOW64\icacls.exe
PID 4532 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Windows\SysWOW64\icacls.exe
PID 4532 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Windows\SysWOW64\icacls.exe
PID 4532 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 4532 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 4532 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 4316 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 4316 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 4316 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 4316 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 4316 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 4316 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 4316 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 4316 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 4316 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 4316 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe

"C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe"

C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe

"C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\61e90a1c-ce1a-412b-9a07-2a04475cd375" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe

"C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe

"C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
MX 187.143.58.5:80 cajgtus.com tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
KR 211.40.39.251:80 sdfjhuz.com tcp
MX 187.143.58.5:80 cajgtus.com tcp
US 8.8.8.8:53 5.58.143.187.in-addr.arpa udp
US 8.8.8.8:53 251.39.40.211.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
MX 187.143.58.5:80 cajgtus.com tcp
MX 187.143.58.5:80 cajgtus.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
MX 187.143.58.5:80 cajgtus.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

memory/712-1-0x0000000004060000-0x0000000004101000-memory.dmp

memory/712-2-0x0000000004110000-0x000000000422B000-memory.dmp

memory/4532-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4532-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4532-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4532-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\61e90a1c-ce1a-412b-9a07-2a04475cd375\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe

MD5 93c4185d6bd7d35620815e99aa6d9f2b
SHA1 01c3bfaffb1496d0b4b2d52e21db58dc76d2dd39
SHA256 d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697
SHA512 8f21de65cc56a4c20a3211b6d598b748c1115d08cb44d2f086c6b5e5c26b3e572b956a361d05e8c2495a8e43097ba79b1f49c73e097f4f9d8a65664ef95722f0

memory/4532-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4280-20-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 4394fb21dc453052a86831f1fed996db
SHA1 15111a498f1a2dbe7ce0881f18d17eb42fee1067
SHA256 396dbb4e24085f93fd15672647d489550b047faffe0af9190a3b0cf91178d417
SHA512 51ad74fd36d072d8d4eec8d93af25548a55fc45c92a85607cc1290f02c393c8f142d3cc2aa34f73a31f881511b692c9e28620b6929e46d3aaf1661ed04a36eba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 df80f9ba75076db634761b6132e0d4e3
SHA1 07983946fb660752c7cccb2ef82d01ec4c9ecc5d
SHA256 d5ff96fd8b416de93a85783192206224cf8821c240cd8ff755f2e8270153dd99
SHA512 4ec734c5d29e9ce00b00e42b627253195e8c7a158433fedfcee428e692a6501981c33d7c8a39235f8b691f087145cdbe660b430493edbeedb12588c5cdd5a66a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 570cbe925b75ee7d442f54410c36fb24
SHA1 9563946019cacfcec9d7eaeca642381f12d4b660
SHA256 e145bd4fe6d1b6cdc438e24beda744e1fd24dcf7fbb6932f152e9aaf0edb855b
SHA512 b53970e6c64d8de1887d2a150cbc2cb79b27ee30f434e91481d5a16cd3d6ff3decf09063d6123a2f149d80a3f750bc1805d50beb226e97b81e2f18ff0bd21064

memory/4280-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4280-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4280-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4280-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4280-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4280-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4280-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4280-35-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 12:57

Reported

2024-05-21 13:00

Platform

win11-20240426-en

Max time kernel

143s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\84feb6c7-2e90-4700-ae7e-ce79101a93ff\\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 332 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 332 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 332 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 332 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 332 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 332 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 332 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 332 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 332 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 332 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 2068 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Windows\SysWOW64\icacls.exe
PID 2068 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Windows\SysWOW64\icacls.exe
PID 2068 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Windows\SysWOW64\icacls.exe
PID 2068 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 2068 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 2068 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 2628 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 2628 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 2628 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 2628 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 2628 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 2628 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 2628 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 2628 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 2628 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe
PID 2628 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe

"C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe"

C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe

"C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\84feb6c7-2e90-4700-ae7e-ce79101a93ff" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe

"C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe

"C:\Users\Admin\AppData\Local\Temp\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
KR 211.40.39.251:80 sdfjhuz.com tcp
EC 200.63.106.141:80 cajgtus.com tcp
EC 200.63.106.141:80 cajgtus.com tcp
EC 200.63.106.141:80 cajgtus.com tcp
EC 200.63.106.141:80 cajgtus.com tcp
EC 200.63.106.141:80 cajgtus.com tcp

Files

memory/332-1-0x0000000004140000-0x00000000041D7000-memory.dmp

memory/332-3-0x0000000004280000-0x000000000439B000-memory.dmp

memory/2068-2-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2068-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2068-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2068-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\84feb6c7-2e90-4700-ae7e-ce79101a93ff\d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697.exe

MD5 93c4185d6bd7d35620815e99aa6d9f2b
SHA1 01c3bfaffb1496d0b4b2d52e21db58dc76d2dd39
SHA256 d90d58df54d765277aad8627085dd15a61b0fafbc794f14b5f81a42807408697
SHA512 8f21de65cc56a4c20a3211b6d598b748c1115d08cb44d2f086c6b5e5c26b3e572b956a361d05e8c2495a8e43097ba79b1f49c73e097f4f9d8a65664ef95722f0

memory/2068-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1980-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 c25bd174e1f12cc0f4e66a655ddc62fb
SHA1 b530493dad2727c60b1b5407baa3120b71d57f3b
SHA256 26e7a43a7aee8380c332b7953cf3f933e4b40a564e45ae3fbb473e2bf31eb5f5
SHA512 b6c62261eed51281e31e4ba9d2d9186d939c19991931b2b1c2a93b4d655f55f36f2c2dbe6b98b09a8278a19a9f8b7374be42ef83050f90d45dacc4f8164673b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 df80f9ba75076db634761b6132e0d4e3
SHA1 07983946fb660752c7cccb2ef82d01ec4c9ecc5d
SHA256 d5ff96fd8b416de93a85783192206224cf8821c240cd8ff755f2e8270153dd99
SHA512 4ec734c5d29e9ce00b00e42b627253195e8c7a158433fedfcee428e692a6501981c33d7c8a39235f8b691f087145cdbe660b430493edbeedb12588c5cdd5a66a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 43784c60af395e4e8d1cb7bf78363626
SHA1 69424fc9f079764fe5005651761755b323d40990
SHA256 d8a839cc1840c3e37318da607cb3cac2a9f0a180bc3b8cbbda280819aaeabcf2
SHA512 09910f5d1238429e9e0821d92fa424aca91b645d3f63fa1dde86f588337a9d8f509af122ca11def42975bb89d3e565afa7f9c0f47a1981f0f513b0a2ef71f1a6

memory/1980-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1980-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1980-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1980-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1980-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1980-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1980-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1980-37-0x0000000000400000-0x0000000000537000-memory.dmp