Malware Analysis Report

2024-10-23 16:23

Sample ID 240522-ab4khsed5w
Target 3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8
SHA256 3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8

Threat Level: Known bad

The file 3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Modifies file permissions

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 00:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 00:03

Reported

2024-05-22 00:05

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c4a7b663-c182-4492-bc30-bb8f935b6da1\\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1692 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1692 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1692 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1692 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1692 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1692 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1692 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1692 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1692 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 3800 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Windows\SysWOW64\icacls.exe
PID 3800 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Windows\SysWOW64\icacls.exe
PID 3800 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Windows\SysWOW64\icacls.exe
PID 3800 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 3800 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 3800 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1168 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1168 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1168 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1168 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1168 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1168 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1168 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1168 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1168 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1168 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe

"C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe"

C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe

"C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c4a7b663-c182-4492-bc30-bb8f935b6da1" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe

"C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe

"C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
SA 94.98.232.163:80 sdfjhuz.com tcp
CO 181.55.190.201:80 cajgtus.com tcp
CO 181.55.190.201:80 cajgtus.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 163.232.98.94.in-addr.arpa udp
US 8.8.8.8:53 201.190.55.181.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
CO 181.55.190.201:80 cajgtus.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
CO 181.55.190.201:80 cajgtus.com tcp
CO 181.55.190.201:80 cajgtus.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/1692-1-0x00000000024C0000-0x000000000255E000-memory.dmp

memory/1692-2-0x0000000004120000-0x000000000423B000-memory.dmp

memory/3800-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3800-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3800-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3800-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\c4a7b663-c182-4492-bc30-bb8f935b6da1\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe

MD5 c809827be1c79e65c9dd86e78d7c53f1
SHA1 ba0403ea800d5b0e68888543f6ca0921f753ddd1
SHA256 3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8
SHA512 ad47c68490b7c34b0ae8001d59071cbf1888de7bb72be29922dc0c3e1eea1624bc1a4dfd6481cc06281363c54d170bbfa37a43b1e720721b18b5813d23ad45c5

memory/3800-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4072-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 5732c0f01e76f060fea4f34978eb5110
SHA1 fd9d591de732ad9542f2ec4d6d6e25c56513fbdb
SHA256 4190e02d575fdf57ae931d6e75a73d449a31d8c6a0909579f2059f462133b825
SHA512 35d8d55d46fa4dce397496bf2c190afe057e825ea51bc8d5f73bc633ef9b7eba1cbd14103a00d47eb200791dea336e31040f354bd2e312db96dbb6eb45dd9042

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a1d955617a4d146e70544d0d9a0390ca
SHA1 5ffdc4453b23e24a7cb0e634b26864c169f5257b
SHA256 8dbff2c0018158256912d87dd495a68c351303a319f50f204a930317e867aeb3
SHA512 0bffbc27638b12cc04f335de8c4f3c74df01ae55b56f389f8d046d797b4c62d31bbff057ea75ce32f67cdd3b878fd0aad3eb62e983f814296e1b94de3c6ba810

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 300c8cdd381ba847f30cff88b6d73748
SHA1 369763069428bf78e534cd7be2b40b433b9cf5d9
SHA256 7431badea8dfca0042091cdfa7fced9cdc392e6e3aaf45b76cd47e5ccb67ce79
SHA512 07d283508cfe10334fbb379c1eaff7126336a4dc9f7cb40b2468bd5218fde7f6e32ea7772ef84e7402cbef2e74f8e9253faacebf247fe04fc1c2f3dd144673fc

memory/4072-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4072-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4072-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4072-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4072-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4072-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4072-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4072-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 00:03

Reported

2024-05-22 00:05

Platform

win11-20240426-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\68c30bef-ea8c-43e6-9d87-e39d860b5d94\\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4132 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 4132 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 4132 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 4132 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 4132 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 4132 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 4132 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 4132 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 4132 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 4132 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1696 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Windows\SysWOW64\icacls.exe
PID 1696 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Windows\SysWOW64\icacls.exe
PID 1696 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Windows\SysWOW64\icacls.exe
PID 1696 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1696 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1696 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1512 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1512 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1512 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1512 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1512 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1512 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1512 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1512 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1512 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe
PID 1512 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe

"C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe"

C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe

"C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\68c30bef-ea8c-43e6-9d87-e39d860b5d94" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe

"C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe

"C:\Users\Admin\AppData\Local\Temp\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
CO 181.55.190.201:80 cajgtus.com tcp
KR 211.168.53.110:80 sdfjhuz.com tcp
CO 181.55.190.201:80 cajgtus.com tcp
CO 181.55.190.201:80 cajgtus.com tcp
CO 181.55.190.201:80 cajgtus.com tcp
CO 181.55.190.201:80 cajgtus.com tcp

Files

memory/4132-2-0x00000000041C0000-0x00000000042DB000-memory.dmp

memory/4132-1-0x00000000025D0000-0x0000000002670000-memory.dmp

memory/1696-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1696-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1696-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1696-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\68c30bef-ea8c-43e6-9d87-e39d860b5d94\3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8.exe

MD5 c809827be1c79e65c9dd86e78d7c53f1
SHA1 ba0403ea800d5b0e68888543f6ca0921f753ddd1
SHA256 3d671617eb9309b57270ca90341af42a2512fda22a22b2b47d4b6060110aecd8
SHA512 ad47c68490b7c34b0ae8001d59071cbf1888de7bb72be29922dc0c3e1eea1624bc1a4dfd6481cc06281363c54d170bbfa37a43b1e720721b18b5813d23ad45c5

memory/1696-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3292-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a1d955617a4d146e70544d0d9a0390ca
SHA1 5ffdc4453b23e24a7cb0e634b26864c169f5257b
SHA256 8dbff2c0018158256912d87dd495a68c351303a319f50f204a930317e867aeb3
SHA512 0bffbc27638b12cc04f335de8c4f3c74df01ae55b56f389f8d046d797b4c62d31bbff057ea75ce32f67cdd3b878fd0aad3eb62e983f814296e1b94de3c6ba810

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fc645c046b61028ac135d6484834cb8f
SHA1 0f53da2cd7bd5b6b695f47ebefc6b1c698fe8019
SHA256 0adc0b994b1509aeec734e92f21f5c329aaec02fd7d56d403269df9a1caea6c4
SHA512 567f0a47bdc02fac646e1aef827c20c9346581337838dd3585f383aa764213fc627261d26b921bc24ab48d242abeb29235eba43b49cfaa2ed969d2b15237a13c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 7a00c45f57b41d4648d4a405aeca7a8b
SHA1 b888be9f54e7b25cae3c695ede5c9d7b13dea882
SHA256 5251445e4ea5898e0729257f732a7739523d59abd1316f497162c52ad5d8ddb2
SHA512 0f4e384b1df95ac59a53ba81bdb6bbc46114c2f4d3a89ecab0d16cf9d9888eb05fe15f53d5eb7b0e01c69b6ff21b7b4727537601020c713c4bfe0e61da63cd32

memory/3292-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3292-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3292-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3292-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3292-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3292-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3292-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3292-37-0x0000000000400000-0x0000000000537000-memory.dmp