Malware Analysis Report

2024-10-23 16:23

Sample ID 240522-pxjjssbg22
Target 81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc
SHA256 81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc

Threat Level: Known bad

The file 81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Modifies file permissions

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 12:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 12:42

Reported

2024-05-22 12:45

Platform

win11-20240508-en

Max time kernel

143s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f4cbe16c-8b55-4bc3-8992-3bc046a99c6d\\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3004 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 3004 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 3004 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 3004 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 3004 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 3004 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 3004 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 3004 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 3004 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 3004 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 1804 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Windows\SysWOW64\icacls.exe
PID 1804 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Windows\SysWOW64\icacls.exe
PID 1804 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Windows\SysWOW64\icacls.exe
PID 1804 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 1804 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 1804 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 5012 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 5012 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 5012 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 5012 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 5012 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 5012 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 5012 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 5012 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 5012 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 5012 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe

"C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe"

C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe

"C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f4cbe16c-8b55-4bc3-8992-3bc046a99c6d" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe

"C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe

"C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
KR 211.119.84.112:80 sdfjhuz.com tcp
MX 187.134.55.166:80 cajgtus.com tcp
MX 187.134.55.166:80 cajgtus.com tcp
US 8.8.8.8:53 112.84.119.211.in-addr.arpa udp
MX 187.134.55.166:80 cajgtus.com tcp
MX 187.134.55.166:80 cajgtus.com tcp
MX 187.134.55.166:80 cajgtus.com tcp
US 52.111.227.14:443 tcp

Files

memory/3004-1-0x0000000004A30000-0x0000000004ACB000-memory.dmp

memory/1804-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1804-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1804-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1804-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3004-2-0x0000000004B80000-0x0000000004C9B000-memory.dmp

C:\Users\Admin\AppData\Local\f4cbe16c-8b55-4bc3-8992-3bc046a99c6d\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe

MD5 468a3f5c25350ab961951730de8c4ede
SHA1 d8ff3e77681ab16fb0da2bf80bd1fd76aae75b7c
SHA256 81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc
SHA512 0ed8087d988a9b2f0ff3572e29b720890e24ccc1423c7f6d1260992197033018cc415c60d4f0d22c80c7d329b83daae0a27dc98d341e5563fef209a20b05f69d

memory/1804-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3488-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 6728aea2631b86a76c237508d8ba9b55
SHA1 7a670f95cac088313f7558869162fe01c6dc0ec9
SHA256 e1dd7380c6df33cd5702b032e0e359029d3ef7630f06ceb42cfdc154fd0baf7b
SHA512 533080cd1ec40b8530cad5c9914e0a5156d225f7392283ed2607eda4f1db4a6930002274060ed9130a6f634222c2e15818e16a50579cfe7f5274d028d31212f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7e6d5b8617fe039fca48abab0067a4f7
SHA1 2eafde995b9010d8ddd19deae32d3f4278696efa
SHA256 d7c4ba660fa0493a398ba170ee34569bb08a5009e3684b1bb069951ecc8f4889
SHA512 82e6efcc1b70625c75237e51e72a99c33b98b964150e6f963eb00893ee2b30ef927dfd26b1b58df4d4ee40d3267ea26ee90c70b2525442dd69d56fed70437814

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 e55ff4b633b05f26589dbac13ad74182
SHA1 3a9c12b2b00ebdf4f874aa70357441ad6dadf49d
SHA256 a92cff4371b0d15d94a6e5a4e87bc3a8b4f1608a7db1569a35d2273c382d99a0
SHA512 aa092ddd39ebc80d972ac4c0b79ec289e4136b4c56da159adc526b1bc84341db8bda93f3a33e08ad327010ec768e11004edf8010e9f81b655d15af64aa5af17a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/3488-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3488-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3488-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3488-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3488-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3488-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3488-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3488-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 12:42

Reported

2024-05-22 12:45

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\18670b35-acb2-4ccb-98f4-118fee0d294b\\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 932 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 932 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 932 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 932 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 932 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 932 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 932 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 932 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 932 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 932 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 4952 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Windows\SysWOW64\icacls.exe
PID 4952 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Windows\SysWOW64\icacls.exe
PID 4952 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Windows\SysWOW64\icacls.exe
PID 4952 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 4952 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 4952 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 3368 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 3368 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 3368 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 3368 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 3368 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 3368 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 3368 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 3368 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 3368 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe
PID 3368 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe

"C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe"

C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe

"C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\18670b35-acb2-4ccb-98f4-118fee0d294b" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe

"C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe

"C:\Users\Admin\AppData\Local\Temp\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
KR 211.119.84.112:80 sdfjhuz.com tcp
US 8.8.8.8:53 112.84.119.211.in-addr.arpa udp
CL 190.13.174.94:80 cajgtus.com tcp
CL 190.13.174.94:80 cajgtus.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 94.174.13.190.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
CL 190.13.174.94:80 cajgtus.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
CL 190.13.174.94:80 cajgtus.com tcp
CL 190.13.174.94:80 cajgtus.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/932-1-0x0000000004840000-0x00000000048D5000-memory.dmp

memory/4952-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/932-4-0x0000000004A00000-0x0000000004B1B000-memory.dmp

memory/4952-2-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4952-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4952-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\18670b35-acb2-4ccb-98f4-118fee0d294b\81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc.exe

MD5 468a3f5c25350ab961951730de8c4ede
SHA1 d8ff3e77681ab16fb0da2bf80bd1fd76aae75b7c
SHA256 81fc7c9924ad00d3e9d0b8323673a8cd9298079040d2b69ad117f3253e99addc
SHA512 0ed8087d988a9b2f0ff3572e29b720890e24ccc1423c7f6d1260992197033018cc415c60d4f0d22c80c7d329b83daae0a27dc98d341e5563fef209a20b05f69d

memory/4952-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1280-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 5d5bcba47f11c475f5a157fdf50300f3
SHA1 4e64de416dfea4f909ccec5b565b4ea118ffb836
SHA256 72929c83c7a6bfdbb8bbfe5a938257fb7f0b10a41309720c4ef0787252e97dab
SHA512 0b825bc576505c3ded5b4f8fe9e6ad4902b52026195de1fec07c805a4819fe43c10fd9f2b5ef900c9e9002113ae26c9ee5f964329f8d40af746bb5461d73fae8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 6728aea2631b86a76c237508d8ba9b55
SHA1 7a670f95cac088313f7558869162fe01c6dc0ec9
SHA256 e1dd7380c6df33cd5702b032e0e359029d3ef7630f06ceb42cfdc154fd0baf7b
SHA512 533080cd1ec40b8530cad5c9914e0a5156d225f7392283ed2607eda4f1db4a6930002274060ed9130a6f634222c2e15818e16a50579cfe7f5274d028d31212f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 616d3c6a010e479b2007212b8d9394d8
SHA1 4ec157977440d9f6c459a5d57d0f7357407e4322
SHA256 437174dbe4c037a1661fded7ca7e43569bd8e2b7a2d79965f6257868f6c7f38d
SHA512 207ef12842611a8f5a661269184712f0cc1c8320100ba0684b0b94e6f17f35f99ad077888b25d9dd061d2121e94c63e54ab14ecc1c566ba5def2ff1057dbf865

memory/1280-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1280-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1280-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1280-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1280-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1280-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1280-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1280-37-0x0000000000400000-0x0000000000537000-memory.dmp