Malware Analysis Report

2025-04-13 10:24

Sample ID 250325-zv99vasvhz
Target 43df4500189c83808a119ee66ee8b77488619eed618316d937461e602cdc156d.zip
SHA256 43df4500189c83808a119ee66ee8b77488619eed618316d937461e602cdc156d
Tags
discovery djvu persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43df4500189c83808a119ee66ee8b77488619eed618316d937461e602cdc156d

Threat Level: Known bad

The file 43df4500189c83808a119ee66ee8b77488619eed618316d937461e602cdc156d.zip was found to be: Known bad.

Malicious Activity Summary

discovery djvu persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Djvu family

Renames multiple (169) files with added filename extension

Modifies file permissions

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-25 21:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-03-25 21:03

Reported

2025-03-25 21:06

Platform

win7-20241010-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\MihalyLevente_Vezetotrening.docx"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\MihalyLevente_Vezetotrening.docx"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2576-0-0x000000002FF31000-0x000000002FF32000-memory.dmp

memory/2576-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2576-2-0x000000007186D000-0x0000000071878000-memory.dmp

memory/2576-9-0x000000007186D000-0x0000000071878000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2025-03-25 21:03

Reported

2025-03-25 21:06

Platform

win10v2004-20250314-en

Max time kernel

133s

Max time network

142s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\MihalyLevente_Vezetotrening.docx" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\MihalyLevente_Vezetotrening.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.27.146:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/2372-0-0x00007FFD2EC6D000-0x00007FFD2EC6E000-memory.dmp

memory/2372-1-0x00007FFCEEC50000-0x00007FFCEEC60000-memory.dmp

memory/2372-3-0x00007FFCEEC50000-0x00007FFCEEC60000-memory.dmp

memory/2372-2-0x00007FFCEEC50000-0x00007FFCEEC60000-memory.dmp

memory/2372-5-0x00007FFCEEC50000-0x00007FFCEEC60000-memory.dmp

memory/2372-4-0x00007FFCEEC50000-0x00007FFCEEC60000-memory.dmp

memory/2372-6-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-10-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-11-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-9-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-8-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-12-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-14-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-15-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-19-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-18-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-22-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-21-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-20-0x00007FFCEC560000-0x00007FFCEC570000-memory.dmp

memory/2372-17-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-16-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-13-0x00007FFCEC560000-0x00007FFCEC570000-memory.dmp

memory/2372-7-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-37-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-36-0x00007FFD2EC6D000-0x00007FFD2EC6E000-memory.dmp

memory/2372-38-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-39-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-40-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-46-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-45-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-44-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-47-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-48-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-43-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-42-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-41-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

memory/2372-49-0x00007FFD2EBD0000-0x00007FFD2EDC5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 db6ad4b146f049e392df10e23c2cbead
SHA1 8a8b2230b45c4929fd9950f241c6e6b99795a1a3
SHA256 72898ad6193e403b999dc62b57f39bda918170a98c21dd464467719a5d145c69
SHA512 2443d2fb16e65ac47cf83f030df7e7af3ce9927a8c7e5e5bce06170a066c561dfac4759fe25d5649695dbfb5ba06e22c8a2a5d3b2556aedcca077a5a3de707cf

C:\Users\Admin\AppData\Local\Temp\TCDFFAE.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Analysis: behavioral5

Detonation Overview

Submitted

2025-03-25 21:03

Reported

2025-03-25 21:06

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mihály Levente_Tartalmi kivonat_2017.pdf"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mihály Levente_Tartalmi kivonat_2017.pdf"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 5dbe44ce039bc0f84dea1463455f8624
SHA1 7fa85387030dc33d0c6462a360624a1921b86f92
SHA256 09f7e5a320d4e3dd6a63501bdcfc4eeabc9a0573fc4614a21a0467dfdcc9d7ff
SHA512 38d2ab5c193e735cd45b385bd0686ae56f3432e1a88fdc040229e01136900efaa37a6c8b29f716f72af4337319279d69a0fda47f9cf4cdc6a13673ffdf0ad408

Analysis: behavioral6

Detonation Overview

Submitted

2025-03-25 21:03

Reported

2025-03-25 21:06

Platform

win10v2004-20250314-en

Max time kernel

104s

Max time network

138s

Command Line

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mihály Levente_Tartalmi kivonat_2017.pdf"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2032 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2032 wrote to memory of 4832 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 3964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 1636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 1636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 1636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 1636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 1636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 1636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 1636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 1636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 1636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 1636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 1636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 1636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 1636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 1636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 1636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 1636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 1636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 1636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 1636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4832 wrote to memory of 1636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Processes

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mihály Levente_Tartalmi kivonat_2017.pdf"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=23BA4D7D641E94722EA4D9811F432476 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BD7363199B12ADB1883CAEE0440245B0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BD7363199B12ADB1883CAEE0440245B0 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=59C447FABA4C50E67E6E73102565FB4F --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8FF4642B8B97F55377989681AF328D7A --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7749CF022E26A36A9306910C5506CCF7 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F014E207432646C5B9C0999679F662D0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F014E207432646C5B9C0999679F662D0 --renderer-client-id=7 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 c2089f121b25f5906bcb4becf5665ee1
SHA1 a3b9ef5aeb9a516d8239ab4742476c88f942a865
SHA256 c30b9172c0206e375e39a6fd505b3531d5f328beae2ad4327eea5a58b459ac99
SHA512 c95a1af165ab7e6c924173666ced81ce03021751d4d25faded2d52c9c3a5bd20117dcdf22dc3246360c5529e53ead4c77ffde6b9c65b07dd0cb00db2efddcc31

memory/2032-122-0x000000000B490000-0x000000000B73B000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2025-03-25 21:03

Reported

2025-03-25 21:06

Platform

win10v2004-20250314-en

Max time kernel

133s

Max time network

141s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Mérések Co2 lézeres kezelésre_v2.xlsx"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Mérések Co2 lézeres kezelésre_v2.xlsx"

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/3024-1-0x00007FFCBAA6D000-0x00007FFCBAA6E000-memory.dmp

memory/3024-0-0x00007FFC7AA50000-0x00007FFC7AA60000-memory.dmp

memory/3024-2-0x00007FFC7AA50000-0x00007FFC7AA60000-memory.dmp

memory/3024-3-0x00007FFC7AA50000-0x00007FFC7AA60000-memory.dmp

memory/3024-4-0x00007FFCBA9D0000-0x00007FFCBABC5000-memory.dmp

memory/3024-5-0x00007FFCBA9D0000-0x00007FFCBABC5000-memory.dmp

memory/3024-6-0x00007FFC7AA50000-0x00007FFC7AA60000-memory.dmp

memory/3024-7-0x00007FFC7AA50000-0x00007FFC7AA60000-memory.dmp

memory/3024-8-0x00007FFCBA9D0000-0x00007FFCBABC5000-memory.dmp

memory/3024-10-0x00007FFCBA9D0000-0x00007FFCBABC5000-memory.dmp

memory/3024-11-0x00007FFCBA9D0000-0x00007FFCBABC5000-memory.dmp

memory/3024-9-0x00007FFCBA9D0000-0x00007FFCBABC5000-memory.dmp

memory/3024-12-0x00007FFC78700000-0x00007FFC78710000-memory.dmp

memory/3024-14-0x00007FFCBA9D0000-0x00007FFCBABC5000-memory.dmp

memory/3024-13-0x00007FFC78700000-0x00007FFC78710000-memory.dmp

memory/3024-15-0x00007FFCBA9D0000-0x00007FFCBABC5000-memory.dmp

memory/3024-25-0x00007FFCBA9D0000-0x00007FFCBABC5000-memory.dmp

memory/3024-26-0x00007FFCBAA6D000-0x00007FFCBAA6E000-memory.dmp

memory/3024-27-0x00007FFCBA9D0000-0x00007FFCBABC5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 238a45e19649a95b72b1b61b573580e9
SHA1 d6ff4f739db97626b4c6c781455a64bde8e6b753
SHA256 18951e2593d186ffd915524ddeac25f5204e0f8e13a7bdebc49b798a2e4f61c5
SHA512 4a0eb1ffb89dc4c95a9cd8582830f0ab60b940143ec75afcac5b1115a0544af2569037e9452e9d3ca685ec4b4e0314308ea45844609038e3d41e71f87057f891

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-25 21:03

Reported

2025-03-25 21:06

Platform

win7-20250207-en

Max time kernel

146s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Djvu family

djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5323b280-a9f4-4b9a-9097-1f1b411e4c45\\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\5323b280-a9f4-4b9a-9097-1f1b411e4c45\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe C:\Windows\SysWOW64\icacls.exe
PID 1628 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe C:\Windows\SysWOW64\icacls.exe
PID 1628 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe C:\Windows\SysWOW64\icacls.exe
PID 1628 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe C:\Windows\SysWOW64\icacls.exe
PID 1628 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe
PID 1628 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe
PID 1628 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe
PID 1628 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe
PID 884 wrote to memory of 1536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\5323b280-a9f4-4b9a-9097-1f1b411e4c45\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe
PID 884 wrote to memory of 1536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\5323b280-a9f4-4b9a-9097-1f1b411e4c45\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe
PID 884 wrote to memory of 1536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\5323b280-a9f4-4b9a-9097-1f1b411e4c45\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe
PID 884 wrote to memory of 1536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\5323b280-a9f4-4b9a-9097-1f1b411e4c45\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe

"C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\5323b280-a9f4-4b9a-9097-1f1b411e4c45" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe

"C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\taskeng.exe

taskeng.exe {BA86572B-8085-472E-B934-39EE2290CCE8} S-1-5-21-677481364-2238709445-1347953534-1000:JXXXDSWS\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\5323b280-a9f4-4b9a-9097-1f1b411e4c45\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe

C:\Users\Admin\AppData\Local\5323b280-a9f4-4b9a-9097-1f1b411e4c45\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe --Task

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.96.1:443 api.2ip.ua tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 104.21.96.1:443 api.2ip.ua tcp
US 8.8.8.8:53 vjsi.top udp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.143:80 crl.microsoft.com tcp
US 104.21.96.1:443 api.2ip.ua tcp
US 8.8.8.8:53 www.microsoft.com udp

Files

memory/1628-0-0x0000000000280000-0x0000000000311000-memory.dmp

memory/1628-1-0x0000000000280000-0x0000000000311000-memory.dmp

memory/1628-2-0x0000000000560000-0x000000000067A000-memory.dmp

memory/1628-3-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\5323b280-a9f4-4b9a-9097-1f1b411e4c45\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe

MD5 f8ef98bbaff6ac82dacde20ee90bfa55
SHA1 65761535a352bfeece2a708eaf6a329fc544872e
SHA256 5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de
SHA512 21618fa54b094fa37deeed5ef7e2fba6da13e57dc36119a5fe502e855a81fa5c9530b45a8be1a0333c8aa0ee862eb07f5c4af1c622b79bbfa8b3e4a3285790dd

memory/1628-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1628-23-0x0000000000560000-0x000000000067A000-memory.dmp

memory/1628-22-0x0000000000280000-0x0000000000311000-memory.dmp

memory/1628-21-0x0000000000400000-0x000000000055B000-memory.dmp

memory/2776-25-0x0000000000310000-0x00000000003A1000-memory.dmp

memory/2776-27-0x0000000000400000-0x000000000055B000-memory.dmp

memory/2776-26-0x0000000000400000-0x000000000055B000-memory.dmp

memory/2776-28-0x0000000000400000-0x000000000055B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 33af9ae13335a4bc7ab70c47c75779ed
SHA1 e3ad7e310ad3825d377fdca16412417c3db46bdb
SHA256 119505c28fac54a1646d5b66f3a9d334d33a3be1810c1be2d2e33b5217efbb94
SHA512 38866634918746e13d5acf4b2668480432925c0bad560d92613c71641ada1d0a5209f84fdc2e9e110efbf8501d9fc4298fcc2dcf4430680df952787d36c8eba7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 c9be626e9715952e9b70f92f912b9787
SHA1 aa2e946d9ad9027172d0d321917942b7562d6abe
SHA256 c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4
SHA512 7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 4070b30cd71f71d809a79e92ec6c0723
SHA1 f7b2a72ab4903ee2f4fdc7b5e1423173592089bf
SHA256 a6518988dd33de19bbb9d0c762e5f044bb22f56938042301b0f0f7553d8b64fa
SHA512 50993089af8b1c506280b02dbe183e8e0b882d385555220dbe368625307b0cdf1714b99bbe9d8b8b5485fd3388e6ddb8172aeb1b155675fb26d3c6a3a3dc565a

C:\Users\Admin\AppData\Local\Temp\CabA785.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2776-42-0x0000000000400000-0x000000000055B000-memory.dmp

memory/2776-44-0x0000000000400000-0x000000000055B000-memory.dmp

memory/2776-47-0x0000000000400000-0x000000000055B000-memory.dmp

memory/1536-59-0x00000000002D0000-0x0000000000361000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar69FA.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/1536-73-0x0000000000400000-0x000000000055B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-25 21:03

Reported

2025-03-25 21:06

Platform

win10v2004-20250314-en

Max time kernel

141s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Djvu family

djvu

Renames multiple (169) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\936e7555-ddbf-4ec9-be30-fa8fbedcbc81\\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\936e7555-ddbf-4ec9-be30-fa8fbedcbc81\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe

"C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\936e7555-ddbf-4ec9-be30-fa8fbedcbc81" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe

"C:\Users\Admin\AppData\Local\Temp\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5820 -ip 5820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 2136

C:\Users\Admin\AppData\Local\936e7555-ddbf-4ec9-be30-fa8fbedcbc81\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe

C:\Users\Admin\AppData\Local\936e7555-ddbf-4ec9-be30-fa8fbedcbc81\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe --Task

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2464 -ip 2464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4616 -ip 4616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 1080

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.96.1:443 api.2ip.ua tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 104.21.96.1:443 api.2ip.ua tcp
US 8.8.8.8:53 vjsi.top udp
US 8.8.8.8:53 vjsi.top udp
US 8.8.8.8:53 vjsi.top udp
US 8.8.8.8:53 vjsi.top udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 104.21.96.1:443 api.2ip.ua tcp

Files

memory/5820-1-0x00000000006C0000-0x0000000000752000-memory.dmp

memory/5820-2-0x0000000000AA0000-0x0000000000BBA000-memory.dmp

memory/5820-3-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\936e7555-ddbf-4ec9-be30-fa8fbedcbc81\5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de.exe

MD5 f8ef98bbaff6ac82dacde20ee90bfa55
SHA1 65761535a352bfeece2a708eaf6a329fc544872e
SHA256 5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de
SHA512 21618fa54b094fa37deeed5ef7e2fba6da13e57dc36119a5fe502e855a81fa5c9530b45a8be1a0333c8aa0ee862eb07f5c4af1c622b79bbfa8b3e4a3285790dd

memory/5820-15-0x0000000000AA0000-0x0000000000BBA000-memory.dmp

memory/5820-16-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5820-14-0x0000000000400000-0x000000000055B000-memory.dmp

memory/4616-18-0x0000000000400000-0x000000000055B000-memory.dmp

memory/4616-19-0x0000000000400000-0x000000000055B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 d2c39a5cd03ffd3a467cd0d0b0b281ad
SHA1 14f2cde5fbb90b9a932927f51e67ca9e084995f4
SHA256 b75fdb835073cfc213e769f5ae4cbbbc913cde07bd10d047d60fda12ce905346
SHA512 7ef9908d70d8bacbb469bbbdbbbfe918225ffbad84354b7da8567b7c321a14a297137dd4b8c953e0ecec0a91e3f11f269dfeb7cc8a5a794332e52fd94c0919ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 c9be626e9715952e9b70f92f912b9787
SHA1 aa2e946d9ad9027172d0d321917942b7562d6abe
SHA256 c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4
SHA512 7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 df02b8ce462475fcbb8d15ef54d68433
SHA1 65457b761beb84c7772a3f74411768bbb1a418c0
SHA256 19bbd6601736a149152f2e50047e7495cfdce32d0f561321ba20eb7d184962a9
SHA512 2324e4ce4e1e6e45a22f335d9e18b774d330475d15f4028c3ecec3c828df099a9b65524e7e89fe5891c07c04d7b3f433e03175c735abb3c071eabab1e3622380

memory/4616-26-0x0000000000400000-0x000000000055B000-memory.dmp

memory/4616-30-0x0000000000400000-0x000000000055B000-memory.dmp

memory/4616-31-0x0000000000400000-0x000000000055B000-memory.dmp

memory/2464-42-0x0000000000400000-0x000000000055B000-memory.dmp

memory/2464-43-0x0000000000400000-0x000000000055B000-memory.dmp

memory/2464-46-0x0000000000400000-0x000000000055B000-memory.dmp

F:\_readme.txt

MD5 816b68812d5aa2d68eeff78ee6735fc4
SHA1 0eb4b3914ec2098f36686da6b59c53d872023428
SHA256 5bd89a0eaac1f5e7e89482d37d6b36dbaf7d9da869ebab6294a4ecd19bf97ef9
SHA512 6ee8bf859936209374f0bead4d1ce4dd2085e97da3270a22ee4761b2a08954714777342ff554fa6515f2f96d56729f52257dbe8e21bdbbf18d1164b5caf6a68d

memory/4616-390-0x0000000000400000-0x000000000055B000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2025-03-25 21:03

Reported

2025-03-25 21:06

Platform

win7-20250207-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Mérések Co2 lézeres kezelésre_v2.xlsx"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Mérések Co2 lézeres kezelésre_v2.xlsx"

Network

N/A

Files

memory/2336-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2336-1-0x0000000072AAD000-0x0000000072AB8000-memory.dmp

memory/2336-2-0x0000000072AAD000-0x0000000072AB8000-memory.dmp