Malware Analysis Report

2024-10-23 16:23

Sample ID 240521-vqpp5ace64
Target f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d
SHA256 f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d

Threat Level: Known bad

The file f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 17:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 17:11

Reported

2024-05-21 17:14

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\bfb93ab8-d199-42cf-a5fb-cfe7ccc77f1b\\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4788 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 4788 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 4788 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 4788 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 4788 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 4788 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 4788 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 4788 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 4788 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 4788 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 1328 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Windows\SysWOW64\icacls.exe
PID 1328 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Windows\SysWOW64\icacls.exe
PID 1328 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Windows\SysWOW64\icacls.exe
PID 1328 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 1328 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 1328 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 5004 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 5004 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 5004 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 5004 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 5004 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 5004 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 5004 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 5004 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 5004 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 5004 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe

"C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe"

C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe

"C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\bfb93ab8-d199-42cf-a5fb-cfe7ccc77f1b" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe

"C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe

"C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
IQ 195.85.218.100:80 cajgtus.com tcp
MD 188.237.2.116:80 sdfjhuz.com tcp
IQ 195.85.218.100:80 cajgtus.com tcp
US 8.8.8.8:53 116.2.237.188.in-addr.arpa udp
US 8.8.8.8:53 100.218.85.195.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
IQ 195.85.218.100:80 cajgtus.com tcp
IQ 195.85.218.100:80 cajgtus.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
IQ 195.85.218.100:80 cajgtus.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

memory/4788-1-0x00000000025C0000-0x0000000002655000-memory.dmp

memory/4788-2-0x0000000004140000-0x000000000425B000-memory.dmp

memory/1328-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1328-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1328-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1328-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\bfb93ab8-d199-42cf-a5fb-cfe7ccc77f1b\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe

MD5 3272f4177ebd454a5d1ba9279f20e1a1
SHA1 fd8a0f709d84c07f79cd21b7ec1aa73e3310b2b0
SHA256 f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d
SHA512 6486a6b6403eaec5640cc657bcce4280af824c8d9318f80d08a7f347068c7dca461bf2998f973ba5ba7085027c5f56d55d91504a6d9b4611d374ab67ff63f047

memory/1328-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3748-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 11f278ecfadd681ed364f1d2378e1c12
SHA1 86ca6ba60845cb97e850c3849028735b799607d7
SHA256 4f9ab2929062209a0fef639022b39e69aa46473633ca68853a91340f0dd6e5fd
SHA512 d4ba5faf3ca38d8a709f0fdb2a2657732a14be4f6107a7725b3e3d13b1d8f1d6d4602c72ff70ba200f5f2a49b76caea59f28cc29a008e2de7ca36ef017b54aaa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 df80f9ba75076db634761b6132e0d4e3
SHA1 07983946fb660752c7cccb2ef82d01ec4c9ecc5d
SHA256 d5ff96fd8b416de93a85783192206224cf8821c240cd8ff755f2e8270153dd99
SHA512 4ec734c5d29e9ce00b00e42b627253195e8c7a158433fedfcee428e692a6501981c33d7c8a39235f8b691f087145cdbe660b430493edbeedb12588c5cdd5a66a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7ab7f71ca3b66c963f16ced32610976d
SHA1 c955b825cf828d5dfbafcebd99e6dcaea67a1046
SHA256 519300bbc8fa37d9edd179022cbe6060cf5d61851d041699f20f9623d1a6e542
SHA512 de1088561d7df6a6806b230fad1ba6472c16b9ef2dce528fe31c287cba5074f2d8a2ee2606b7282cbb5f12734a49a40de17e694ad5ff817dca722540e9b44167

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/3748-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3748-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3748-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3748-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3748-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3748-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3748-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3748-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 17:11

Reported

2024-05-21 17:14

Platform

win11-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\fb1166c3-a335-41fc-80ea-b1feec2182db\\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4968 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 4968 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 4968 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 4968 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 4968 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 4968 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 4968 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 4968 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 4968 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 4968 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 1956 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Windows\SysWOW64\icacls.exe
PID 1956 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Windows\SysWOW64\icacls.exe
PID 1956 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Windows\SysWOW64\icacls.exe
PID 1956 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 1956 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 1956 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 2960 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 2960 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 2960 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 2960 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 2960 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 2960 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 2960 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 2960 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 2960 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe
PID 2960 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe

"C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe"

C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe

"C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\fb1166c3-a335-41fc-80ea-b1feec2182db" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe

"C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe

"C:\Users\Admin\AppData\Local\Temp\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.2:443 api.2ip.ua tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 188.114.96.2:443 api.2ip.ua tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 cajgtus.com udp
IR 217.219.131.81:80 cajgtus.com tcp
CO 190.156.239.49:80 sdfjhuz.com tcp
IR 217.219.131.81:80 cajgtus.com tcp
IR 217.219.131.81:80 cajgtus.com tcp
IR 217.219.131.81:80 cajgtus.com tcp
IR 217.219.131.81:80 cajgtus.com tcp

Files

memory/4968-1-0x0000000002600000-0x000000000269C000-memory.dmp

memory/4968-2-0x0000000004240000-0x000000000435B000-memory.dmp

memory/1956-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1956-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1956-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1956-3-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\fb1166c3-a335-41fc-80ea-b1feec2182db\f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d.exe

MD5 3272f4177ebd454a5d1ba9279f20e1a1
SHA1 fd8a0f709d84c07f79cd21b7ec1aa73e3310b2b0
SHA256 f289a570acf7065f25cd7bbcdc1b34992324a9f7d6ac709f41544c5c5a99ba6d
SHA512 6486a6b6403eaec5640cc657bcce4280af824c8d9318f80d08a7f347068c7dca461bf2998f973ba5ba7085027c5f56d55d91504a6d9b4611d374ab67ff63f047

memory/1956-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1132-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 df80f9ba75076db634761b6132e0d4e3
SHA1 07983946fb660752c7cccb2ef82d01ec4c9ecc5d
SHA256 d5ff96fd8b416de93a85783192206224cf8821c240cd8ff755f2e8270153dd99
SHA512 4ec734c5d29e9ce00b00e42b627253195e8c7a158433fedfcee428e692a6501981c33d7c8a39235f8b691f087145cdbe660b430493edbeedb12588c5cdd5a66a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 33d61bf27d159382e90fc80609751d58
SHA1 f0efae71dff265d65bf8fd2c0fd6a7f30fc4dbaf
SHA256 ae2620a3e9e06d8f62065a0273c7e96de1e81a0f7f34b989e14da71e369994c4
SHA512 195bcbf2ae0f288da3edd38494e65f1c7b9d3817dba493502d23ddde154ba12e350bea9e36f82dbd381214081c6089d9717162c4bb8a0634ea25b191c578b73d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 ca32f50673d9306664e2006e86edac38
SHA1 9c2988bf138b9999918d70fd27c2005995ef1673
SHA256 3a5af594e75d2ba5a44b6eb58628505abab2097e699b68edd128a15d2df49e1a
SHA512 ed675691d86da8692da2749ba77ceb2bb358273c2b5956ef14c30d5f773741aec65043fe642186d6473b779d0fba3a0c3eec00fecaecd10893d2f0fe8bfcd901

memory/1132-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1132-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1132-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1132-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1132-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1132-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1132-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1132-37-0x0000000000400000-0x0000000000537000-memory.dmp