Malware Analysis Report

2024-10-23 16:23

Sample ID 240521-vdfxfscc8x
Target 41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925
SHA256 41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925

Threat Level: Known bad

The file 41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 16:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 16:52

Reported

2024-05-21 16:54

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e96480df-5860-4ab2-8a3f-af6f2b0ddd70\\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1176 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 1176 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 1176 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 1176 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 1176 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 1176 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 1176 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 1176 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 1176 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 1176 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 224 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Windows\SysWOW64\icacls.exe
PID 224 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Windows\SysWOW64\icacls.exe
PID 224 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Windows\SysWOW64\icacls.exe
PID 224 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 224 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 224 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 1184 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 1184 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 1184 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 1184 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 1184 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 1184 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 1184 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 1184 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 1184 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 1184 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe

Processes

C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe

"C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe"

C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe

"C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\e96480df-5860-4ab2-8a3f-af6f2b0ddd70" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe

"C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe

"C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
KR 211.171.233.129:80 sdfjhuz.com tcp
MD 188.237.2.116:80 cajgtus.com tcp
MD 188.237.2.116:80 cajgtus.com tcp
US 8.8.8.8:53 129.233.171.211.in-addr.arpa udp
US 8.8.8.8:53 116.2.237.188.in-addr.arpa udp
MD 188.237.2.116:80 cajgtus.com tcp
MD 188.237.2.116:80 cajgtus.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
MD 188.237.2.116:80 cajgtus.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

memory/1176-1-0x0000000002620000-0x00000000026BE000-memory.dmp

memory/1176-2-0x00000000040D0000-0x00000000041EB000-memory.dmp

memory/224-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/224-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/224-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/224-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\e96480df-5860-4ab2-8a3f-af6f2b0ddd70\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe

MD5 05567327c48b4b2af47574295ee9748b
SHA1 7595f946efc74526f2b989413e73e3f37c4b4765
SHA256 41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925
SHA512 293c0df46670b450a5a840a424ef1848a2dd8634a5e837b1ace4196ba76ba040dcb12a8a0397a4c1583af3d1b63227653999b64247f6b593ef5c1cf2ec33fdea

memory/224-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2360-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 07b3c102f8e0108d99b166ad34fb2d63
SHA1 0d90f1bee5423489e185ebcfd1ec45a2c409d10e
SHA256 31ccccbb030e1968525d8bc9b8958901ecef24d1cb9500d82fc209eee5e035a7
SHA512 709bb8b25e9231bdda3d91373399f589a10a453a5af3c0e7ed7c60e870ec68dd54c42c1442293a27b3d38f47548604699821f1b4e7c99eee4053b86ded91d4a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 df80f9ba75076db634761b6132e0d4e3
SHA1 07983946fb660752c7cccb2ef82d01ec4c9ecc5d
SHA256 d5ff96fd8b416de93a85783192206224cf8821c240cd8ff755f2e8270153dd99
SHA512 4ec734c5d29e9ce00b00e42b627253195e8c7a158433fedfcee428e692a6501981c33d7c8a39235f8b691f087145cdbe660b430493edbeedb12588c5cdd5a66a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 53e133804099ee4563995b5863867eba
SHA1 f3335e1160d1ba6078b2db0437f79c046dfc112f
SHA256 d7be0b4f8d9fd2173668bc601f2a248f80a1c4ed61d5958b88a60ae558177173
SHA512 4a5b98fcbef7a7603d3600874b5132255222786121eee84391cb6bb084e81653485399e7d9cba80d8ce785843208d78a86748e9f45a707e98f2533b27de45018

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/2360-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2360-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2360-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2360-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2360-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2360-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2360-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2360-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 16:52

Reported

2024-05-21 16:54

Platform

win11-20240426-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4ec1203a-241f-45b4-b9ef-6d30db4a1760\\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4676 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 4676 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 4676 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 4676 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 4676 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 4676 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 4676 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 4676 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 4676 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 4676 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 4172 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Windows\SysWOW64\icacls.exe
PID 4172 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Windows\SysWOW64\icacls.exe
PID 4172 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Windows\SysWOW64\icacls.exe
PID 4172 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 4172 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 4172 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 3940 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 3940 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 3940 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 3940 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 3940 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 3940 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 3940 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 3940 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 3940 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe
PID 3940 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe

Processes

C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe

"C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe"

C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe

"C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\4ec1203a-241f-45b4-b9ef-6d30db4a1760" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe

"C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe

"C:\Users\Admin\AppData\Local\Temp\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
PY 181.123.150.165:80 cajgtus.com tcp
ZA 192.143.130.208:80 sdfjhuz.com tcp
PY 181.123.150.165:80 cajgtus.com tcp
PY 181.123.150.165:80 cajgtus.com tcp
PY 181.123.150.165:80 cajgtus.com tcp
PY 181.123.150.165:80 cajgtus.com tcp

Files

memory/4676-2-0x00000000041C0000-0x00000000042DB000-memory.dmp

memory/4676-1-0x00000000026F0000-0x0000000002787000-memory.dmp

memory/4172-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4172-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4172-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4172-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\4ec1203a-241f-45b4-b9ef-6d30db4a1760\41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925.exe

MD5 05567327c48b4b2af47574295ee9748b
SHA1 7595f946efc74526f2b989413e73e3f37c4b4765
SHA256 41414ecd1275b4aaa6c0b82659b622a46426b599855cb402ace8358e42e18925
SHA512 293c0df46670b450a5a840a424ef1848a2dd8634a5e837b1ace4196ba76ba040dcb12a8a0397a4c1583af3d1b63227653999b64247f6b593ef5c1cf2ec33fdea

memory/4172-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3924-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 a85e27176d1dafb8a12a7c8ddd79f350
SHA1 ae826f67567a3c159909ca3af27a9abe940f5446
SHA256 729f63eb238ac407371267111df9a8897b5611574ee4bd198fa5a7a9310dbd69
SHA512 5c0d80fb0f434e1826869309f0acced7fc54bb2649aec9a44f7645e6afe5285666026d7e7bbd0cf8f701c4317a4c82d4fd57ca12348de9bab9f45909a5590a9b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 df80f9ba75076db634761b6132e0d4e3
SHA1 07983946fb660752c7cccb2ef82d01ec4c9ecc5d
SHA256 d5ff96fd8b416de93a85783192206224cf8821c240cd8ff755f2e8270153dd99
SHA512 4ec734c5d29e9ce00b00e42b627253195e8c7a158433fedfcee428e692a6501981c33d7c8a39235f8b691f087145cdbe660b430493edbeedb12588c5cdd5a66a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 5a0c1b62e34e6bec371911015f7ca1c6
SHA1 697badd53e4eeb102514f067580f85a9284acfa0
SHA256 8c6db261b8159a4b4c3528d316155a3cb667eb984bc5109efea6081162fd7150
SHA512 afd58694bc72e83eaf17fdb10bcec8bc29755f8fdb30b958deb9edc3c033129d2548a8615451d950172269b61f5756467cb4272909517f43d1467470f2737bdb

memory/3924-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3924-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3924-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3924-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3924-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3924-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3924-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3924-37-0x0000000000400000-0x0000000000537000-memory.dmp