Malware Analysis Report

2024-10-23 16:23

Sample ID 240521-s4sb3aaf68
Target 50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f
SHA256 50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f

Threat Level: Known bad

The file 50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 15:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 15:41

Reported

2024-05-21 15:43

Platform

win11-20240508-en

Max time kernel

141s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1c8c33e4-53f2-42f1-8733-f5e7b4f3aedd\\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4792 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4792 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4792 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4792 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4792 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4792 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4792 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4792 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4792 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4792 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 2568 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Windows\SysWOW64\icacls.exe
PID 2568 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Windows\SysWOW64\icacls.exe
PID 2568 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Windows\SysWOW64\icacls.exe
PID 2568 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 2568 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 2568 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4104 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4104 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4104 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4104 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4104 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4104 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4104 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4104 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4104 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4104 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe

"C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe"

C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe

"C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\1c8c33e4-53f2-42f1-8733-f5e7b4f3aedd" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe

"C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe

"C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 cajgtus.com udp
JO 176.29.154.25:80 cajgtus.com tcp
KW 78.89.199.216:80 sdfjhuz.com tcp
JO 176.29.154.25:80 cajgtus.com tcp
JO 176.29.154.25:80 cajgtus.com tcp
JO 176.29.154.25:80 cajgtus.com tcp
JO 176.29.154.25:80 cajgtus.com tcp
US 52.111.229.48:443 tcp

Files

memory/4792-1-0x00000000025C0000-0x0000000002655000-memory.dmp

memory/2568-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2568-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4792-2-0x00000000041C0000-0x00000000042DB000-memory.dmp

memory/2568-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2568-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\1c8c33e4-53f2-42f1-8733-f5e7b4f3aedd\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe

MD5 c991e828e97d9e583ff042e5891d9999
SHA1 12b6ab69ee99c0c5cb5b4f413f24e84d438b2d96
SHA256 50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f
SHA512 f65fcd02981c1a4eea592486ccb6b592fe646dbac48b0104586bf06f96a65124916c9f456ac588411b2b9dc434ede958977cdf47550e957623a1e1c6960573fb

memory/2568-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1988-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 df80f9ba75076db634761b6132e0d4e3
SHA1 07983946fb660752c7cccb2ef82d01ec4c9ecc5d
SHA256 d5ff96fd8b416de93a85783192206224cf8821c240cd8ff755f2e8270153dd99
SHA512 4ec734c5d29e9ce00b00e42b627253195e8c7a158433fedfcee428e692a6501981c33d7c8a39235f8b691f087145cdbe660b430493edbeedb12588c5cdd5a66a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e766943046fa85a9f796b40758fb3048
SHA1 fdc3f2d07868eb0d7040e51a2c9329b6cc2e8806
SHA256 b717a6228132036d603f0bc44ca58ee5ca75cbcea70a463276d66b2cbc6efde9
SHA512 90d6c0ed04cc8eb760ce5d33cb5c216c33a4591a9ac1ed246bc3440de910bc82efbdb821e36b4773aa68dad00267678adfaeb59eccc2a7348969bc53363b7f3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 a599b9a761d5d563808dce386a2f6903
SHA1 b5d3af2cc8e4e4ba3a1b25a5be2fad28094f6240
SHA256 185c4c34903f8cc62dd06eafaf92706e448d003888542ad5eb4215f79af1be59
SHA512 1df03010e4920c8460675216f47caa9949ba184e70972223b0ba627c441c8088b10af8160fb2821bb6e2c57912931943d2769ce23857c739e73e3e689aff40da

memory/1988-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1988-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1988-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1988-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1988-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1988-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1988-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1988-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 15:41

Reported

2024-05-21 15:43

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6ba91ea7-58ea-41c9-be78-b1f4d9dba4dc\\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 332 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 332 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 332 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 332 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 332 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 332 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 332 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 332 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 332 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 332 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4684 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Windows\SysWOW64\icacls.exe
PID 4684 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Windows\SysWOW64\icacls.exe
PID 4684 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Windows\SysWOW64\icacls.exe
PID 4684 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4684 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 4684 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 2756 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 2756 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 2756 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 2756 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 2756 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 2756 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 2756 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 2756 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 2756 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe
PID 2756 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe

"C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe"

C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe

"C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\6ba91ea7-58ea-41c9-be78-b1f4d9dba4dc" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe

"C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe

"C:\Users\Admin\AppData\Local\Temp\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe" --Admin IsNotAutoStart IsNotTask

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3684,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=2700 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 104.211.222.173.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
JO 176.29.154.25:80 cajgtus.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 25.154.29.176.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
KR 211.40.39.251:80 sdfjhuz.com tcp
JO 176.29.154.25:80 cajgtus.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 251.39.40.211.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
JO 176.29.154.25:80 cajgtus.com tcp
JO 176.29.154.25:80 cajgtus.com tcp
JO 176.29.154.25:80 cajgtus.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/332-1-0x00000000024F0000-0x000000000258B000-memory.dmp

memory/332-2-0x0000000004140000-0x000000000425B000-memory.dmp

memory/4684-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4684-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4684-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4684-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\6ba91ea7-58ea-41c9-be78-b1f4d9dba4dc\50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f.exe

MD5 c991e828e97d9e583ff042e5891d9999
SHA1 12b6ab69ee99c0c5cb5b4f413f24e84d438b2d96
SHA256 50e67518555f88edc46e95c81c38860c272f45483ccde420315e62827bf3527f
SHA512 f65fcd02981c1a4eea592486ccb6b592fe646dbac48b0104586bf06f96a65124916c9f456ac588411b2b9dc434ede958977cdf47550e957623a1e1c6960573fb

memory/4684-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4072-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4072-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 df80f9ba75076db634761b6132e0d4e3
SHA1 07983946fb660752c7cccb2ef82d01ec4c9ecc5d
SHA256 d5ff96fd8b416de93a85783192206224cf8821c240cd8ff755f2e8270153dd99
SHA512 4ec734c5d29e9ce00b00e42b627253195e8c7a158433fedfcee428e692a6501981c33d7c8a39235f8b691f087145cdbe660b430493edbeedb12588c5cdd5a66a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 6ce8381eb1e843d3d2f3b3ce7377e942
SHA1 b4c9927ed871982a89ea02fa8fc488a725dd7d15
SHA256 4788faafb0572200f76cd7f0ab2d9a5d0399bec76175e7ab87706abc7ec4427c
SHA512 0e6f2c75e961208125e52eddfae4c7fc437d93e97ebad4a26df6e8d68b91a9b665e8e9bf9ac310bf3e5109ae7cda8c80eceafb24837d4c68a4d292a06f2b2b62

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 9a456abe734c05b91618fbc0549db7fa
SHA1 55589e0b97797a5e62574a353171ed24c5c79fa4
SHA256 632a7b883f6762c4676db156dba5094f5e015c02c762149449ef65b7bca63178
SHA512 0acda2430468a19f6ab2fe402ca5344d57776532f0287355a16a8dede979dbf7c179a39cca725070780f83427bb5a2a79a974dfcb1e7de2dad96d2094a8debed

memory/4072-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4072-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4072-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4072-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4072-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4072-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4072-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4072-39-0x0000000000400000-0x0000000000537000-memory.dmp