Malware Analysis Report

2024-10-19 01:49

Sample ID 240523-awerwseh31
Target 6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7
SHA256 6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7

Threat Level: Known bad

The file 6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Modifies file permissions

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 00:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 00:33

Reported

2024-05-23 00:36

Platform

win11-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a0861954-190a-490e-8db4-c5bdae18bd9e\\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3396 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 3396 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 3396 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 3396 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 3396 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 3396 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 3396 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 3396 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 3396 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 3396 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 1164 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Windows\SysWOW64\icacls.exe
PID 1164 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Windows\SysWOW64\icacls.exe
PID 1164 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Windows\SysWOW64\icacls.exe
PID 1164 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 1164 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 1164 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 4944 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 4944 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 4944 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 4944 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 4944 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 4944 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 4944 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 4944 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 4944 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 4944 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe

"C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe"

C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe

"C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\a0861954-190a-490e-8db4-c5bdae18bd9e" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe

"C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe

"C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
IR 37.255.238.137:80 cajgtus.com tcp
CO 190.159.30.35:80 cajgtus.com tcp
IR 37.255.238.137:80 cajgtus.com tcp
IR 37.255.238.137:80 cajgtus.com tcp
IR 37.255.238.137:80 cajgtus.com tcp
IR 37.255.238.137:80 cajgtus.com tcp

Files

memory/3396-1-0x0000000004A10000-0x0000000004AAD000-memory.dmp

memory/1164-2-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3396-3-0x0000000004AB0000-0x0000000004BCB000-memory.dmp

memory/1164-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1164-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1164-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\a0861954-190a-490e-8db4-c5bdae18bd9e\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe

MD5 646219d918509f10f82be9002ab95378
SHA1 234aecb88c72e6f5225b682974d0f77053652e22
SHA256 6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7
SHA512 43fa079e53184cc9afaf94cf9286ff1e53de80f4aa543595477878d24cc902cd3c92d8d1c5575b90b54f8280e3da5ae16b38d39bd6cbaf7eb82991de2b4c7d7b

memory/1164-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/248-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 0aa0a2b9744251bf808d53b479c0f56e
SHA1 cab8629be656e8396576151077a8092c0a64fcd1
SHA256 b0b5623c234fa0a57f9b44397a7220569f082fffc6254f65489a0fd52760fdb3
SHA512 e16302ab1814795595a6a56a4c391c7b98c9ff1bd47fd6dd9667c2da698139a70230a1bd03668e6e95c8a1359b4cc35c9beb9e92b206a2a4ccee2ee08cd69f23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7575c39a544943a68ce6e709c586005a
SHA1 4874b30bd1d455b28a95c4e21c5aecd1ea043d7a
SHA256 4737de49245ace1ca1fdeaacd5feee9bbda88bc6f42c84a1ea7d316383792cf8
SHA512 abf3d85393725113e720cbe8980b369236511e3984e8cbfa795f19bb5d6e39822e80a835caeb498581797a74b349765ba1a27f26586a17a66ae1c88bd066a3d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 fc96626f9bfe91785042b78186c12426
SHA1 fe811e05ea4a8034737c1a69e2832b1429d4a262
SHA256 d93e1890e9e4413fe6d17e172ba12161690769dcfba79e05d22e407a92686357
SHA512 f2ae6d705958b4dd125b9f556fab84b4c9d3055178f143f26bcdaff8b798a36f717e765d48fbe74187deebe28cf80972159a772e01969df48f73a976a82ece55

memory/248-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/248-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/248-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/248-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/248-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/248-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/248-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/248-41-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 00:33

Reported

2024-05-23 00:36

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0f569b10-d033-48de-b0ea-1403d94dc903\\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 2804 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 2804 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 2804 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 2804 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 2804 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 2804 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 2804 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 2804 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 2804 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 3764 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Windows\SysWOW64\icacls.exe
PID 3764 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Windows\SysWOW64\icacls.exe
PID 3764 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Windows\SysWOW64\icacls.exe
PID 3764 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 3764 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 3764 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 4716 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 4716 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 4716 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 4716 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 4716 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 4716 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 4716 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 4716 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 4716 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe
PID 4716 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe

"C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe"

C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe

"C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\0f569b10-d033-48de-b0ea-1403d94dc903" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe

"C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe

"C:\Users\Admin\AppData\Local\Temp\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
AR 200.122.37.247:80 cajgtus.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
AR 200.114.83.251:80 sdfjhuz.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 247.37.122.200.in-addr.arpa udp
AR 200.122.37.247:80 cajgtus.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 251.83.114.200.in-addr.arpa udp
AR 200.122.37.247:80 cajgtus.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
AR 200.122.37.247:80 cajgtus.com tcp
AR 200.122.37.247:80 cajgtus.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

memory/2804-1-0x0000000002ED0000-0x0000000002F6E000-memory.dmp

memory/3764-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3764-2-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3764-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2804-4-0x0000000004A50000-0x0000000004B6B000-memory.dmp

memory/3764-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\0f569b10-d033-48de-b0ea-1403d94dc903\6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7.exe

MD5 646219d918509f10f82be9002ab95378
SHA1 234aecb88c72e6f5225b682974d0f77053652e22
SHA256 6901a20b62e5cb987eeca25432860c17f775a6b5540c3308feb2bf10a25451b7
SHA512 43fa079e53184cc9afaf94cf9286ff1e53de80f4aa543595477878d24cc902cd3c92d8d1c5575b90b54f8280e3da5ae16b38d39bd6cbaf7eb82991de2b4c7d7b

memory/3764-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1152-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 0524a5cedb48c47befb5e85a86a46f39
SHA1 a2aae060261ab0f257c5c38f03ed78b5f09407d1
SHA256 752b009d8a8423b4a5670dbd2bb6b8db520099f7ff160b14dc4acb3429d69ccb
SHA512 4c0126b07cc1128d8f54e1dbd02b3c509d76040043062b2c069467de5ac5e794d9a99c74aef144620bd66f091ea02c4ea9688c91bb3c036d83a9eff0e696b0f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7575c39a544943a68ce6e709c586005a
SHA1 4874b30bd1d455b28a95c4e21c5aecd1ea043d7a
SHA256 4737de49245ace1ca1fdeaacd5feee9bbda88bc6f42c84a1ea7d316383792cf8
SHA512 abf3d85393725113e720cbe8980b369236511e3984e8cbfa795f19bb5d6e39822e80a835caeb498581797a74b349765ba1a27f26586a17a66ae1c88bd066a3d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 ece978a90c09f3d4d404e983e043b0a6
SHA1 1e2c263ff661df3bd539a4068e3f1ffdac950bd1
SHA256 cc9f6574aac272553b92c6660147d5af46f0c076a26be8fd51fa2c323ffa6b10
SHA512 62185ae669a07205972c0413acd02d1c04ef2d18b1bb9858f8a1c6372cc0c3b591b5f30ed400146b89acd77ca07c399d9e4173bfdc93d976f7b2d1d051236af4

memory/1152-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1152-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1152-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1152-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1152-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1152-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1152-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1152-39-0x0000000000400000-0x0000000000537000-memory.dmp