Malware Analysis Report

2024-10-19 01:49

Sample ID 240523-lcdw2abh3s
Target 6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8
SHA256 6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8

Threat Level: Known bad

The file 6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 09:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 09:22

Reported

2024-05-23 09:25

Platform

win10v2004-20240426-en

Max time kernel

142s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c814a18e-9902-45a2-96ab-c1437a1998c8\\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1144 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 1144 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 1144 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 1144 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 1144 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 1144 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 1144 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 1144 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 1144 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 1144 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 976 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Windows\SysWOW64\icacls.exe
PID 976 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Windows\SysWOW64\icacls.exe
PID 976 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Windows\SysWOW64\icacls.exe
PID 976 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 976 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 976 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 2780 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 2780 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 2780 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 2780 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 2780 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 2780 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 2780 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 2780 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 2780 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 2780 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe

"C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe"

C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe

"C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c814a18e-9902-45a2-96ab-c1437a1998c8" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe

"C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe

"C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 10.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
IQ 195.85.218.100:80 cajgtus.com tcp
MX 189.195.132.134:80 cajgtus.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 100.218.85.195.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 134.132.195.189.in-addr.arpa udp
IQ 195.85.218.100:80 cajgtus.com tcp
NL 23.62.61.137:443 www.bing.com tcp
US 8.8.8.8:53 137.61.62.23.in-addr.arpa udp
NL 23.62.61.137:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
IQ 195.85.218.100:80 cajgtus.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
IQ 195.85.218.100:80 cajgtus.com tcp
IQ 195.85.218.100:80 cajgtus.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1144-1-0x0000000002330000-0x00000000023C5000-memory.dmp

memory/1144-2-0x0000000003D70000-0x0000000003E8B000-memory.dmp

memory/976-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/976-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/976-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/976-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\c814a18e-9902-45a2-96ab-c1437a1998c8\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe

MD5 f4b38701cac3b466ac2c5a99ab8c6416
SHA1 262dedd611d88afe3f9119be37284f9474765fa2
SHA256 6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8
SHA512 d142b5191ff70914c156e026f1316d62745e4c91e9942681d6d76246a2a92aeacbb4f5fcf8b4abc6a9e3140871517a21fa440574e3b1a940aa78716b56ffcf81

memory/976-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/212-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-21-0x0000000000400000-0x0000000002015000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 ae7fef5ccc70b8d45fa53faf4826f6f9
SHA1 9e116dc223b81d54f1b69a7df02655c2a0f987ca
SHA256 f79539e5af3b419d151f29879b8cc173381b2f3a2188c5350ed4f06548e608b6
SHA512 d0b2fb1ada136116126042030892ed302dbb92b35fe12b9d2909cbb7c12e31a64fc3d27e6f5b997def5ff4d20e5c69a818970f4f9b8ae110ca27c8cd475ed45f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e4cacc9fa4adc8a6751aaf917c99e447
SHA1 d27c0b41d3fe6627c82ea3e6e762b1474f64ba51
SHA256 6ebb6b38a3cab01ca3d714f8df8b1d1dc0f159922fe9ae5e104dcd27c59eaf30
SHA512 fc104a463bf08270217f88841c8690dcb264abeebf8bd78dfda2dd2bd4fa85231dc7aede74e427483065ef3e6ef3f2c7e73c1c67dc274861da3421ea35927a80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 78a4286a8750ab07a6f8fc52fec87547
SHA1 b46081a3606ea322dc0ed520dafebc10a591d131
SHA256 85a5dc5dcd8ff32cc6d14850c09fad6e025c48aa1dfe5fb2d0fafff67eb9e584
SHA512 1f6e1f345ad4bc9e653bb10b16f866018f0f8d42581cf32bf39307661d3f0c29f5716ae145844492820b5aa368ec72d99505d2ecadb859659e96ebc6f896d268

memory/212-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/212-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/212-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/212-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/212-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/212-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-35-0x0000000000400000-0x0000000002015000-memory.dmp

memory/212-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/212-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 09:22

Reported

2024-05-23 09:25

Platform

win11-20240508-en

Max time kernel

141s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\696b3d80-f924-4129-b621-419625cd6012\\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 752 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 752 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 752 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 752 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 752 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 752 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 752 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 752 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 752 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 752 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 5020 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Windows\SysWOW64\icacls.exe
PID 5020 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Windows\SysWOW64\icacls.exe
PID 5020 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Windows\SysWOW64\icacls.exe
PID 5020 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 5020 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 5020 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 4480 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 4480 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 4480 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 4480 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 4480 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 4480 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 4480 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 4480 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 4480 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe
PID 4480 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe

"C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe"

C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe

"C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\696b3d80-f924-4129-b621-419625cd6012" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe

"C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe

"C:\Users\Admin\AppData\Local\Temp\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
BR 177.129.90.106:80 cajgtus.com tcp
CO 190.156.239.49:80 sdfjhuz.com tcp
BR 177.129.90.106:80 cajgtus.com tcp
BR 177.129.90.106:80 cajgtus.com tcp
BR 177.129.90.106:80 cajgtus.com tcp
BR 177.129.90.106:80 cajgtus.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/5020-2-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5020-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5020-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5020-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/752-3-0x0000000003DF0000-0x0000000003F0B000-memory.dmp

memory/752-1-0x00000000022F0000-0x0000000002388000-memory.dmp

C:\Users\Admin\AppData\Local\696b3d80-f924-4129-b621-419625cd6012\6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8.exe

MD5 f4b38701cac3b466ac2c5a99ab8c6416
SHA1 262dedd611d88afe3f9119be37284f9474765fa2
SHA256 6614b336fb0740c40015b739e5510ebb114250b6cfc4017b9b2099530ebb94c8
SHA512 d142b5191ff70914c156e026f1316d62745e4c91e9942681d6d76246a2a92aeacbb4f5fcf8b4abc6a9e3140871517a21fa440574e3b1a940aa78716b56ffcf81

memory/5020-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/964-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fdd5512faa897f21309ee626823ecc70
SHA1 7f01d7ad69d376e1307ff907b6f57552e01abd1d
SHA256 e0af4f1d01f4bb355500585d5683e35daefcd8d8bf11483f3a8132a942bd359b
SHA512 d8f6b4a4ef4382938f3f87fd084f46260fb6c04792caff638247c6afedc914061c5981de047833a651e9ed083ebcdc1e19006ccb6046b0c0e5a6f6a71991d6b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e4cacc9fa4adc8a6751aaf917c99e447
SHA1 d27c0b41d3fe6627c82ea3e6e762b1474f64ba51
SHA256 6ebb6b38a3cab01ca3d714f8df8b1d1dc0f159922fe9ae5e104dcd27c59eaf30
SHA512 fc104a463bf08270217f88841c8690dcb264abeebf8bd78dfda2dd2bd4fa85231dc7aede74e427483065ef3e6ef3f2c7e73c1c67dc274861da3421ea35927a80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 14c94dc58bce260534c31129f938e0b2
SHA1 8b65fb9f22462a247c35b41e0ab0aaf595dec993
SHA256 efa279a13112c606d6e3e5d563e052481e732c307b166b99f93c4d6c12c7a204
SHA512 5e0c39663ce3c63a94afee27b6846d14c02b006fb1804c0618333ca94a69ed379d180ab4c0452d1aa771a929f5b4c04b2c1e871d696ee769e2e38749d712b5c2

memory/964-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/964-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/964-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/964-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/964-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/964-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/964-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/964-37-0x0000000000400000-0x0000000000537000-memory.dmp