Malware Analysis Report

2024-10-23 16:23

Sample ID 240522-h7lnksgc3z
Target 076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea
SHA256 076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea

Threat Level: Known bad

The file 076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Modifies file permissions

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 07:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 07:22

Reported

2024-05-22 07:25

Platform

win11-20240508-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a12f0297-dc30-493c-98ef-9c3b9cc87de1\\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4108 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4108 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4108 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4108 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4108 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4108 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4108 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4108 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4108 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4108 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4560 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Windows\SysWOW64\icacls.exe
PID 4560 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Windows\SysWOW64\icacls.exe
PID 4560 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Windows\SysWOW64\icacls.exe
PID 4560 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4560 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4560 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4512 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4512 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4512 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4512 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4512 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4512 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4512 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4512 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4512 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4512 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe

Processes

C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe

"C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe"

C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe

"C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\a12f0297-dc30-493c-98ef-9c3b9cc87de1" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe

"C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe

"C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
MX 187.199.150.21:80 cajgtus.com tcp
MX 201.119.122.3:80 sdfjhuz.com tcp
MX 187.199.150.21:80 cajgtus.com tcp
MX 187.199.150.21:80 cajgtus.com tcp
MX 187.199.150.21:80 cajgtus.com tcp
MX 187.199.150.21:80 cajgtus.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4108-1-0x0000000004A10000-0x0000000004AAB000-memory.dmp

memory/4108-2-0x0000000004BA0000-0x0000000004CBB000-memory.dmp

memory/4560-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4560-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4560-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4560-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\a12f0297-dc30-493c-98ef-9c3b9cc87de1\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe

MD5 7830d0fbdc9b0db1b23c974ebb7ed843
SHA1 5c7421146117885f5b0a340c68ff13186e10661a
SHA256 076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea
SHA512 47def04f9f69c9003671a29be8efae5c581fa66c0f4a03f152113cefb336f64dcc24946dc31b95abd687a38403bdf274541cc0b2c1eaf6de3541423d3030adba

memory/4560-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2140-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 195fc28150bef9b30510eed36fb325af
SHA1 1ea8a314d8af1d431b77d5280d1782e9a8e867c6
SHA256 5c2e51ccf5767f80257a0a0bb66dee40957e5379431e15a118e7f1343ad1f6e0
SHA512 537da7e46d8b5afc796c1908042088c583c5380fb729f3665845fe36286b3efeaec9fa26475e9c2263f55b1eca04bd7ae26088a9a85950b2b7f750fd24eadcfc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 60902468d13929d598346330a2d1f55a
SHA1 e75cbb6c4fc90aa77f21fd3289078115c8df9d3b
SHA256 01b7946d986c1b0cc8090006c3077ee15e941c13ef9ec56e4fc6abf90bdca1d3
SHA512 e94dadd92b59db6edd875df4ba3a9758ba1de284c0f7e198d00be424a842b5362b12b493f613455ec9280b749795fa40e16e3ca49a5d3ada5d6b080eaf167c09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 aedeadfe4862139e6c9447a70e7d55b0
SHA1 2226b5369f19670eeb1920dc1d1f087dec346663
SHA256 4ed7768238599a5bf697cc5554a16c251303b96db0c75ad42b42a8c7bc7e86ab
SHA512 3f57e62991596d47192fdeebb3af8cd487ca6821c3eee46c03e648fadce9ed1ffd092e5852e52cf69dea1070b386c4b75a7ef71ac6cda48775e1748ba8d984d8

memory/2140-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2140-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2140-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2140-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2140-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2140-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2140-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2140-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 07:22

Reported

2024-05-22 07:25

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\282f3652-88c5-4524-af70-41d7fbee49f2\\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4752 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4752 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4752 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4752 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4752 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4752 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4752 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4752 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4752 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4752 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4344 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Windows\SysWOW64\icacls.exe
PID 4344 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Windows\SysWOW64\icacls.exe
PID 4344 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Windows\SysWOW64\icacls.exe
PID 4344 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4344 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 4344 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 5020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 5020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 5020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 5020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 5020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 5020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 5020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 5020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 5020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe
PID 5020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe

Processes

C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe

"C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe"

C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe

"C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\282f3652-88c5-4524-af70-41d7fbee49f2" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe

"C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe

"C:\Users\Admin\AppData\Local\Temp\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
KR 220.82.134.210:80 cajgtus.com tcp
CO 190.147.128.172:80 sdfjhuz.com tcp
KR 220.82.134.210:80 cajgtus.com tcp
US 8.8.8.8:53 172.128.147.190.in-addr.arpa udp
US 8.8.8.8:53 210.134.82.220.in-addr.arpa udp
KR 220.82.134.210:80 cajgtus.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
KR 220.82.134.210:80 cajgtus.com tcp
KR 220.82.134.210:80 cajgtus.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp

Files

memory/4752-1-0x00000000049A0000-0x0000000004A37000-memory.dmp

memory/4752-2-0x0000000004A90000-0x0000000004BAB000-memory.dmp

memory/4344-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4344-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4344-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4344-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\282f3652-88c5-4524-af70-41d7fbee49f2\076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea.exe

MD5 7830d0fbdc9b0db1b23c974ebb7ed843
SHA1 5c7421146117885f5b0a340c68ff13186e10661a
SHA256 076e064030e4ce341cba136045c03f79508afc9779635f68a6a9b48dea30ceea
SHA512 47def04f9f69c9003671a29be8efae5c581fa66c0f4a03f152113cefb336f64dcc24946dc31b95abd687a38403bdf274541cc0b2c1eaf6de3541423d3030adba

memory/4344-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2896-20-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 45e68e0e7a284376f228ec8ed4c6bb22
SHA1 33ed2f577c401babc28d8efa4bc264c49793868e
SHA256 5237ce4a48c12a1efe18bbd03673270a67ff775d30b557782c78dde4eb534524
SHA512 cc279dcb0089ea1a24f36cac9164b53d5cf8f35088ac701022ec785fd85b1e8c0e14c560f349bb1d30936f96436cff179b56c2e953e2fd917887673a01a268d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 195fc28150bef9b30510eed36fb325af
SHA1 1ea8a314d8af1d431b77d5280d1782e9a8e867c6
SHA256 5c2e51ccf5767f80257a0a0bb66dee40957e5379431e15a118e7f1343ad1f6e0
SHA512 537da7e46d8b5afc796c1908042088c583c5380fb729f3665845fe36286b3efeaec9fa26475e9c2263f55b1eca04bd7ae26088a9a85950b2b7f750fd24eadcfc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 2a35df2a26cb957c1f554a92fb342d42
SHA1 beb16f414119718363cd9bfcaae8d0ce359911bb
SHA256 a6f38578bf438ab6b0e064bd5a134c4b3cae5703e54d864af6f5f630989ba211
SHA512 a528f29f6b0fa4690dc5ea71caa3f91ae001eee3da6ce4b29c7611e4e3f4674f569e7a8d3b5c54a84a8b4466761d417b4db26f87edba086a43c35a3efbc5e812

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/2896-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2896-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2896-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2896-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2896-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2896-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2896-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2896-35-0x0000000000400000-0x0000000000537000-memory.dmp