Malware Analysis Report

2024-10-23 16:23

Sample ID 240521-spqjxsac7s
Target ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615
SHA256 ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615

Threat Level: Known bad

The file ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 15:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 15:18

Reported

2024-05-21 15:20

Platform

win11-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4e0fcc6d-c4c0-454b-91d5-227c884c9a41\\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 936 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 936 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 936 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 936 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 936 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 936 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 936 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 936 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 936 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 936 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 3948 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Windows\SysWOW64\icacls.exe
PID 3948 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Windows\SysWOW64\icacls.exe
PID 3948 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Windows\SysWOW64\icacls.exe
PID 3948 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 3948 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 3948 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 2360 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 2360 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 2360 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 2360 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 2360 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 2360 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 2360 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 2360 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 2360 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 2360 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe

"C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe"

C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe

"C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\4e0fcc6d-c4c0-454b-91d5-227c884c9a41" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe

"C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe

"C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 188.114.97.2:443 api.2ip.ua tcp
KR 211.171.233.129:80 cajgtus.com tcp
CO 190.146.112.188:80 sdfjhuz.com tcp
KR 211.171.233.129:80 cajgtus.com tcp
KR 211.171.233.129:80 cajgtus.com tcp
KR 211.171.233.129:80 cajgtus.com tcp
KR 211.171.233.129:80 cajgtus.com tcp

Files

memory/936-1-0x0000000004160000-0x00000000041F6000-memory.dmp

memory/936-2-0x00000000042C0000-0x00000000043DB000-memory.dmp

memory/3948-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3948-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3948-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3948-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\4e0fcc6d-c4c0-454b-91d5-227c884c9a41\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe

MD5 e9f7616b292dee88d0dc0b2c237f63d8
SHA1 e9a52fcc35ac259c2147a57596b0c5657b02228d
SHA256 ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615
SHA512 d1ec516985d69795d525ae677a089971c7867960ffa32000ac8ed46797dfc47ad6caf690338b37d1fa66c119ad888059fd46b1ab029fb080f22bac9e4edea000

memory/3948-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/792-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 df3193a6a9401f1a271c2c96dd9a1f00
SHA1 475755f6b10d25c9f1d7d20560eca1e196d0bb7a
SHA256 25de31a9bc08883c766afa09f6cb6e8f15d0f67545a8229f9d0bb24b29eceaaf
SHA512 717259474306e884da84b910016024ddee6868b2e08954705302f420147980b6a5e77d78263fa28979d774ae4d064216569290551067490d22001c5404b91641

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 df80f9ba75076db634761b6132e0d4e3
SHA1 07983946fb660752c7cccb2ef82d01ec4c9ecc5d
SHA256 d5ff96fd8b416de93a85783192206224cf8821c240cd8ff755f2e8270153dd99
SHA512 4ec734c5d29e9ce00b00e42b627253195e8c7a158433fedfcee428e692a6501981c33d7c8a39235f8b691f087145cdbe660b430493edbeedb12588c5cdd5a66a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 ee75ec364e2f758d54e81d28bacf0d4b
SHA1 98fc1969f09cee4a77cbea5a22fd0ee4f32ae124
SHA256 2e4775adf46c80614a576d6a89acfaa36a47ea083f04e47bdc0d296472def22c
SHA512 e6257b72acec059bf0c439f93339fe210a696648acf9ac777ea098aa6f7b246a38ee72ad3faec34dea0d701f426acf5a82d6721fd4e7bae0471664985d8eda0b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/792-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/792-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/792-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/792-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/792-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/792-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/792-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/792-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 15:18

Reported

2024-05-21 15:20

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f1a56ec0-a845-46f3-b16a-be5b0aa93a02\\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 1228 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 1228 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 1228 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 1228 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 1228 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 1228 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 1228 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 1228 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 1228 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 2264 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Windows\SysWOW64\icacls.exe
PID 2264 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Windows\SysWOW64\icacls.exe
PID 2264 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Windows\SysWOW64\icacls.exe
PID 2264 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 2264 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 2264 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 1424 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 1424 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 1424 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 1424 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 1424 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 1424 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 1424 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 1424 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 1424 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe
PID 1424 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe

"C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe"

C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe

"C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f1a56ec0-a845-46f3-b16a-be5b0aa93a02" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe

"C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe

"C:\Users\Admin\AppData\Local\Temp\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 cajgtus.com udp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
DO 148.101.130.101:80 sdfjhuz.com tcp
BR 177.129.90.106:80 cajgtus.com tcp
NL 23.62.61.75:443 www.bing.com tcp
BR 177.129.90.106:80 cajgtus.com tcp
US 8.8.8.8:53 101.130.101.148.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 106.90.129.177.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BR 177.129.90.106:80 cajgtus.com tcp
BR 177.129.90.106:80 cajgtus.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
BR 177.129.90.106:80 cajgtus.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1228-2-0x0000000004140000-0x000000000425B000-memory.dmp

memory/1228-1-0x0000000003F30000-0x0000000003FC8000-memory.dmp

memory/2264-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2264-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2264-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2264-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\f1a56ec0-a845-46f3-b16a-be5b0aa93a02\ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615.exe

MD5 e9f7616b292dee88d0dc0b2c237f63d8
SHA1 e9a52fcc35ac259c2147a57596b0c5657b02228d
SHA256 ce7314bab5400dd11ed0f848c046b9bed30b15d644e5a23a742828560252f615
SHA512 d1ec516985d69795d525ae677a089971c7867960ffa32000ac8ed46797dfc47ad6caf690338b37d1fa66c119ad888059fd46b1ab029fb080f22bac9e4edea000

memory/2264-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2796-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7325fceb098194657842172e72a56d69
SHA1 e0f0490a81d18c7d19e4121019a743b957867c40
SHA256 09d2e5ad2671b8c89c31ac809de418b407ec47fa7332657bcde211e1c223251e
SHA512 301aa6caf00d9907cdbe3321b3f8a6478531346893c42e96752cf4155d8affed1f2461812449143ba18732421eb571743307239bc4f981fa6726a51804920c8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 535cf8b45a966b857b4eb80bec9379d6
SHA1 51b4f2f4b5e6288ade30ed04023569aef1a2990c
SHA256 fc459384479fff681f94ff5a7c5bfd6773bd71babbe76169b884f1e029587e5c
SHA512 dfda65b4c2db91e66bb76139e25ddf29abb481daa2ca4a6cf9db2b7092f700b57ce597084353eee2a04183413db4a0a295cf5d7bbe54b225a08c5782e2578d53

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 df80f9ba75076db634761b6132e0d4e3
SHA1 07983946fb660752c7cccb2ef82d01ec4c9ecc5d
SHA256 d5ff96fd8b416de93a85783192206224cf8821c240cd8ff755f2e8270153dd99
SHA512 4ec734c5d29e9ce00b00e42b627253195e8c7a158433fedfcee428e692a6501981c33d7c8a39235f8b691f087145cdbe660b430493edbeedb12588c5cdd5a66a

memory/2796-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2796-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2796-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2796-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2796-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2796-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2796-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2796-37-0x0000000000400000-0x0000000000537000-memory.dmp