Malware Analysis Report

2024-10-23 16:23

Sample ID 240522-aa691sed3w
Target 434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e
SHA256 434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e

Threat Level: Known bad

The file 434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 00:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 00:01

Reported

2024-05-22 00:04

Platform

win11-20240508-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f53ff194-04c3-4dcf-b04f-701e28ccea19\\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4360 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4360 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4360 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4360 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4360 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4360 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4360 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4360 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4360 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4360 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4328 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Windows\SysWOW64\icacls.exe
PID 4328 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Windows\SysWOW64\icacls.exe
PID 4328 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Windows\SysWOW64\icacls.exe
PID 4328 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4328 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4328 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 1312 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 1312 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 1312 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 1312 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 1312 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 1312 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 1312 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 1312 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 1312 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 1312 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe

Processes

C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe

"C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe"

C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe

"C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f53ff194-04c3-4dcf-b04f-701e28ccea19" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe

"C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe

"C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
CO 190.28.110.209:80 cajgtus.com tcp
SA 94.98.232.163:80 sdfjhuz.com tcp
CO 190.28.110.209:80 cajgtus.com tcp
CO 190.28.110.209:80 cajgtus.com tcp
CO 190.28.110.209:80 cajgtus.com tcp
CO 190.28.110.209:80 cajgtus.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4360-2-0x00000000041A0000-0x00000000042BB000-memory.dmp

memory/4360-1-0x00000000026D0000-0x000000000276A000-memory.dmp

memory/4328-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4328-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4328-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4328-3-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\f53ff194-04c3-4dcf-b04f-701e28ccea19\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe

MD5 94ec3337ff55fbb90c9826771ee1a452
SHA1 92a37f78607bb102849ee65f6efce5902302a958
SHA256 434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e
SHA512 be5f8de7734fde10771cf8567a4b41483bd9033c9ece6a8f92d584b181d7f43e87db22864d33e3cb1c562189dcd230e82e411bb966de9220b5bb8da2e3a89be4

memory/4328-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2956-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 8bca31f85ccbebe6b793afe5fe223059
SHA1 b5f9466693ed21a48b9f5fc6e270d95d3d27ef91
SHA256 01566416c9c8d7a5f100c8bb0261eab06cb16ad97438086c31c53ad2bd80059c
SHA512 f181eca72a2d407d714effc6827332c2565d8b7191a474e94eb85cc3a2d1f8137b873470d0df0faa1d31667fbb230fadd7fc2d4d78a4d0afe0fac1203ed83279

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 f416017ded3d4b5cc38c940c13f26605
SHA1 0544209621585aee410c15ac7c38e7cb0f4dd758
SHA256 605f0858dc875b86606e3d052d764e9cdb1724052d0109234b56946a244827e4
SHA512 0f72f8d79f24e2338919aa99587f550d90675e079a220e6f3a726fd0252dff23f6f035d98ace7e5b2a677e334d7d2494f51f8dfc028226f5f01d01c65b249a7b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a1d955617a4d146e70544d0d9a0390ca
SHA1 5ffdc4453b23e24a7cb0e634b26864c169f5257b
SHA256 8dbff2c0018158256912d87dd495a68c351303a319f50f204a930317e867aeb3
SHA512 0bffbc27638b12cc04f335de8c4f3c74df01ae55b56f389f8d046d797b4c62d31bbff057ea75ce32f67cdd3b878fd0aad3eb62e983f814296e1b94de3c6ba810

memory/2956-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2956-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2956-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2956-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2956-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2956-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2956-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2956-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 00:01

Reported

2024-05-22 00:04

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f77bb46d-2475-4dde-84c0-3379bfb615f5\\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4468 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4468 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4468 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4468 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4468 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4468 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4468 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4468 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4468 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4468 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 2988 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Windows\SysWOW64\icacls.exe
PID 2988 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Windows\SysWOW64\icacls.exe
PID 2988 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Windows\SysWOW64\icacls.exe
PID 2988 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 2988 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 2988 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4004 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4004 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4004 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4004 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4004 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4004 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4004 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4004 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4004 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe
PID 4004 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe

Processes

C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe

"C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe"

C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe

"C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f77bb46d-2475-4dde-84c0-3379bfb615f5" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe

"C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe

"C:\Users\Admin\AppData\Local\Temp\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
BR 189.61.54.32:80 cajgtus.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
AZ 213.172.74.157:80 sdfjhuz.com tcp
BR 189.61.54.32:80 cajgtus.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 32.54.61.189.in-addr.arpa udp
US 8.8.8.8:53 157.74.172.213.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
BR 189.61.54.32:80 cajgtus.com tcp
BR 189.61.54.32:80 cajgtus.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
BR 189.61.54.32:80 cajgtus.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp

Files

memory/4468-2-0x0000000004020000-0x000000000413B000-memory.dmp

memory/4468-1-0x00000000026A0000-0x000000000273C000-memory.dmp

memory/2988-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2988-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2988-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2988-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\f77bb46d-2475-4dde-84c0-3379bfb615f5\434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e.exe

MD5 94ec3337ff55fbb90c9826771ee1a452
SHA1 92a37f78607bb102849ee65f6efce5902302a958
SHA256 434d0afff9951493f14b3df3341106085d6b25585048f24260ea79bca876dd2e
SHA512 be5f8de7734fde10771cf8567a4b41483bd9033c9ece6a8f92d584b181d7f43e87db22864d33e3cb1c562189dcd230e82e411bb966de9220b5bb8da2e3a89be4

memory/2988-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3120-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 719ce63a8caf8f4939d83ef9a4fd292c
SHA1 3c301b344a4a0bf14d4d83acc7d02d1c849af241
SHA256 62ad31e4c506a0ef8ae20c53ad03cba19ec7afd17bfbbe9c23bd8c7f4b9d34f4
SHA512 b0b4ee9429082d3ad0d68b058624f9ebc753c522354a8293e1c7d09b1def514621cdca14f64c03d7b4434d6e59afe8c41571aa85636cda651ae37da0e2196baa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a1d955617a4d146e70544d0d9a0390ca
SHA1 5ffdc4453b23e24a7cb0e634b26864c169f5257b
SHA256 8dbff2c0018158256912d87dd495a68c351303a319f50f204a930317e867aeb3
SHA512 0bffbc27638b12cc04f335de8c4f3c74df01ae55b56f389f8d046d797b4c62d31bbff057ea75ce32f67cdd3b878fd0aad3eb62e983f814296e1b94de3c6ba810

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 21b2bdc6ad7c6519fc05c22d669147bc
SHA1 76ee6162766175733a17631a10b0e0a688e81d6c
SHA256 f87ace767d12e65ea8d2d86640300f78d6363a5a50e48b2124f4d40a305b2c07
SHA512 b560520fbcf4a81b5d0fae0b2a57ae10adff1518fe6e6523aca939a3aa5a3d0143c43a26a62abf252454c99747ce99a32cdc32adb5ac56e042b98956025ef858

memory/3120-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3120-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3120-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3120-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3120-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3120-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3120-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3120-37-0x0000000000400000-0x0000000000537000-memory.dmp