Malware Analysis Report

2024-10-19 01:49

Sample ID 240523-dtwjeacb49
Target 86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6
SHA256 86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6

Threat Level: Known bad

The file 86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 03:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 03:18

Reported

2024-05-23 03:21

Platform

win10v2004-20240426-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7eb3df81-be78-4c02-8060-4fd8723bc652\\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 2216 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 2216 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 2216 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 2216 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 2216 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 2216 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 2216 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 2216 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 2216 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 4980 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Windows\SysWOW64\icacls.exe
PID 4980 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Windows\SysWOW64\icacls.exe
PID 4980 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Windows\SysWOW64\icacls.exe
PID 4980 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 4980 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 4980 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 1452 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 1452 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 1452 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 1452 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 1452 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 1452 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 1452 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 1452 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 1452 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 1452 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe

Processes

C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe

"C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe"

C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe

"C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\7eb3df81-be78-4c02-8060-4fd8723bc652" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe

"C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe

"C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 35.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
NL 23.62.61.194:443 www.bing.com tcp
PE 190.187.52.42:80 cajgtus.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
KR 211.119.84.112:80 sdfjhuz.com tcp
PE 190.187.52.42:80 cajgtus.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 42.52.187.190.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 112.84.119.211.in-addr.arpa udp
PE 190.187.52.42:80 cajgtus.com tcp
PE 190.187.52.42:80 cajgtus.com tcp
PE 190.187.52.42:80 cajgtus.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2216-1-0x0000000002E80000-0x0000000002F15000-memory.dmp

memory/2216-2-0x00000000049C0000-0x0000000004ADB000-memory.dmp

memory/4980-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4980-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4980-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4980-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\7eb3df81-be78-4c02-8060-4fd8723bc652\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe

MD5 1803415d0d0002e02718ff233a24c314
SHA1 c46f8bb5067f2deed66c7076a30ea7424088b6b0
SHA256 86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6
SHA512 e5385320d5fe607a472f1825daf88a69bef9ae5a8c72c66610b08496eee3945f42378b269450b75ffa4509c0c3bd2c755bd80120def13d7378f9371b976dc5e5

memory/4980-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/520-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7575c39a544943a68ce6e709c586005a
SHA1 4874b30bd1d455b28a95c4e21c5aecd1ea043d7a
SHA256 4737de49245ace1ca1fdeaacd5feee9bbda88bc6f42c84a1ea7d316383792cf8
SHA512 abf3d85393725113e720cbe8980b369236511e3984e8cbfa795f19bb5d6e39822e80a835caeb498581797a74b349765ba1a27f26586a17a66ae1c88bd066a3d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b1afea65e7e2b6faab90485b42131b09
SHA1 ba03b4fd2f93d6f0d66b9bef87e5b49109230f0d
SHA256 130aded94c21c434daf64fd6e105aba120d2e0b2ab77ac74e59cadfcb615713a
SHA512 3ba39416d8a3b473a4cb6a6fb4eea78ab1fe50e066ed41978af9669d82b0b1e887ec9bcb4aa2993f27a4bbe55369b909435757d9b619a2a578fe0e1e404b9b3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 0c208c4a1dbed98c4ee72e1aac92a568
SHA1 72e2b4c10aee1ce6c8d46a4036259f6860ebd0ac
SHA256 26436193e7bf73d0750c41a3cb4adcdb94d2df662fba24a393b2a81c63af903d
SHA512 029f9d39e14bfec816e44310f451369e703982e08dd4fc5cac6ab90fba1481e1bc33a30b09c1f49723084a254c83b4c6fc9fe2cfb45ca18b0e168fdb5e024b2e

memory/520-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/520-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/520-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/520-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/520-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/520-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/520-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/520-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 03:18

Reported

2024-05-23 03:21

Platform

win11-20240426-en

Max time kernel

144s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\55a6d1d4-6560-4a53-83e4-851d6695dce2\\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 692 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 692 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 692 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 692 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 692 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 692 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 692 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 692 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 692 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 692 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 3504 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Windows\SysWOW64\icacls.exe
PID 3504 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Windows\SysWOW64\icacls.exe
PID 3504 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Windows\SysWOW64\icacls.exe
PID 3504 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 3504 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 3504 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 1824 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 1824 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 1824 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 1824 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 1824 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 1824 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 1824 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 1824 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 1824 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe
PID 1824 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe

Processes

C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe

"C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe"

C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe

"C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\55a6d1d4-6560-4a53-83e4-851d6695dce2" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe

"C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe

"C:\Users\Admin\AppData\Local\Temp\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 35.169.217.172.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
KR 211.119.84.112:80 sdfjhuz.com tcp
KR 211.202.224.10:80 cajgtus.com tcp
KR 211.202.224.10:80 cajgtus.com tcp
KR 211.202.224.10:80 cajgtus.com tcp
KR 211.202.224.10:80 cajgtus.com tcp
KR 211.202.224.10:80 cajgtus.com tcp

Files

memory/692-1-0x0000000004AB0000-0x0000000004B50000-memory.dmp

memory/692-2-0x0000000004B50000-0x0000000004C6B000-memory.dmp

memory/3504-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3504-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3504-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3504-3-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\55a6d1d4-6560-4a53-83e4-851d6695dce2\86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6.exe

MD5 1803415d0d0002e02718ff233a24c314
SHA1 c46f8bb5067f2deed66c7076a30ea7424088b6b0
SHA256 86d141e0d9832840216d6c932553530d56c47a49961ac32f4578db76646357e6
SHA512 e5385320d5fe607a472f1825daf88a69bef9ae5a8c72c66610b08496eee3945f42378b269450b75ffa4509c0c3bd2c755bd80120def13d7378f9371b976dc5e5

memory/3504-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3152-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 83b069d12b7d18f2bd2d0c8ae179459a
SHA1 d7b459f370c867be6a92eec6ad18403fb03caf95
SHA256 ebfde287c37ff793b9cd04a81bafcfdd904272300049c1194035ebc2a21e6107
SHA512 595b435c83f870671180faa83bebaef98379c3f26ef7593dbd1ce1af0bccca66581ab25112c790e544e50937a213b98fd3e32bdba9d465bb5c1cafa5a6f49053

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7575c39a544943a68ce6e709c586005a
SHA1 4874b30bd1d455b28a95c4e21c5aecd1ea043d7a
SHA256 4737de49245ace1ca1fdeaacd5feee9bbda88bc6f42c84a1ea7d316383792cf8
SHA512 abf3d85393725113e720cbe8980b369236511e3984e8cbfa795f19bb5d6e39822e80a835caeb498581797a74b349765ba1a27f26586a17a66ae1c88bd066a3d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 bb51363fdd5a46c99f0a307753a46edd
SHA1 60c53b5f30818eea076a5c98eb8ac03c6d37efb5
SHA256 d04d72da87a21d41d85e0e27574611555ab849a23ece68fa6ff05f08c1080438
SHA512 14bce61ee28dad8fadbdc5064d1b62e471c707a2805d95abcf21cc52496c561def90f88d1d0d2a430dfc8e635bdb383b200fe0a14e5dddd909e466ef77e9d8a0

memory/3152-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3152-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3152-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3152-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3152-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3152-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3152-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3152-37-0x0000000000400000-0x0000000000537000-memory.dmp