ryuk | 180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7v20201028
submitted
11-03-2021 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a563c50c5fa0fd541248acaf72cc4e7d.exe
Size

635KB
MD5

a563c50c5fa0fd541248acaf72cc4e7d
SHA1

4b8c12b074e20a796071aa50dc82fe2ff755e8f6
SHA256

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843
SHA512

d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Score

10^/10

ryuk dave discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '5GqsR1ewcO'; $torlink = 'http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Dave packer 1 IoCs

Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.

dave

resource	yara_rule
behavioral1/memory/1732-5-0x0000000000380000-0x00000000003A2000-memory.dmp	dave

Executes dropped EXE 3 IoCs

pid	Process
1224	aOLkrjIygrep.exe
332	MugkIqqutlan.exe
1628	XFgYGlljTlan.exe

Loads dropped DLL 3 IoCs

pid	Process
1732	a563c50c5fa0fd541248acaf72cc4e7d.exe
1732	a563c50c5fa0fd541248acaf72cc4e7d.exe
1732	a563c50c5fa0fd541248acaf72cc4e7d.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2684	icacls.exe
2696	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	a563c50c5fa0fd541248acaf72cc4e7d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00601G.GIF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR44B.GIF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Darwin	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\tesselate.x3d	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\AcroRead.msi	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21329_.GIF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME20.CSS	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00177_.WMF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153089.WMF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guayaquil	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\QUAD.INF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EXPLR_01.MID	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15133_.GIF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\LEVEL.INF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103850.WMF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_09.MID	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15170_.GIF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\IPEDINTL.DLL	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9F.GIF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00513_.WMF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Verve.eftx	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18180_.WMF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\custom.lua	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01196_.WMF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBE7INTL.DLL	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\vlc.mo	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\adcvbs.inc	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186346.WMF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21295_.GIF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox28.tlb	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02228_.WMF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Composite.xml	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01157_.WMF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_ja.jar	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fontconfig.bfc	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR45B.GIF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WZCNFLCT.CHM	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GB.XSL	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	a563c50c5fa0fd541248acaf72cc4e7d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1732	a563c50c5fa0fd541248acaf72cc4e7d.exe
1732	a563c50c5fa0fd541248acaf72cc4e7d.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1732	a563c50c5fa0fd541248acaf72cc4e7d.exe
1732	a563c50c5fa0fd541248acaf72cc4e7d.exe
1224	aOLkrjIygrep.exe
1224	aOLkrjIygrep.exe
332	MugkIqqutlan.exe
332	MugkIqqutlan.exe
1628	XFgYGlljTlan.exe
1628	XFgYGlljTlan.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1224	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	29
PID 1732 wrote to memory of 1224	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	29
PID 1732 wrote to memory of 1224	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	29
PID 1732 wrote to memory of 1224	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	29
PID 1732 wrote to memory of 332	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	30
PID 1732 wrote to memory of 332	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	30
PID 1732 wrote to memory of 332	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	30
PID 1732 wrote to memory of 332	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	30
PID 1732 wrote to memory of 1628	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	31
PID 1732 wrote to memory of 1628	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	31
PID 1732 wrote to memory of 1628	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	31
PID 1732 wrote to memory of 1628	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	31
PID 1732 wrote to memory of 2684	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	32
PID 1732 wrote to memory of 2684	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	32
PID 1732 wrote to memory of 2684	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	32
PID 1732 wrote to memory of 2684	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	32
PID 1732 wrote to memory of 2696	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	33
PID 1732 wrote to memory of 2696	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	33
PID 1732 wrote to memory of 2696	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	33
PID 1732 wrote to memory of 2696	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	33
PID 1732 wrote to memory of 3800	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	36
PID 1732 wrote to memory of 3800	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	36
PID 1732 wrote to memory of 3800	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	36
PID 1732 wrote to memory of 3800	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	36
PID 1732 wrote to memory of 3832	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	38
PID 1732 wrote to memory of 3832	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	38
PID 1732 wrote to memory of 3832	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	38
PID 1732 wrote to memory of 3832	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	38
PID 3800 wrote to memory of 3860	3800	net.exe	40
PID 3800 wrote to memory of 3860	3800	net.exe	40
PID 3800 wrote to memory of 3860	3800	net.exe	40
PID 3800 wrote to memory of 3860	3800	net.exe	40
PID 3832 wrote to memory of 3880	3832	net.exe	41
PID 3832 wrote to memory of 3880	3832	net.exe	41
PID 3832 wrote to memory of 3880	3832	net.exe	41
PID 3832 wrote to memory of 3880	3832	net.exe	41
PID 1732 wrote to memory of 744	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	42
PID 1732 wrote to memory of 744	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	42
PID 1732 wrote to memory of 744	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	42
PID 1732 wrote to memory of 744	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	42
PID 744 wrote to memory of 2856	744	net.exe	44
PID 744 wrote to memory of 2856	744	net.exe	44
PID 744 wrote to memory of 2856	744	net.exe	44
PID 744 wrote to memory of 2856	744	net.exe	44
PID 1732 wrote to memory of 2768	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	45
PID 1732 wrote to memory of 2768	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	45
PID 1732 wrote to memory of 2768	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	45
PID 1732 wrote to memory of 2768	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	45
PID 2768 wrote to memory of 1100	2768	net.exe	47
PID 2768 wrote to memory of 1100	2768	net.exe	47
PID 2768 wrote to memory of 1100	2768	net.exe	47
PID 2768 wrote to memory of 1100	2768	net.exe	47

C:\Users\Admin\AppData\Local\Temp\a563c50c5fa0fd541248acaf72cc4e7d.exe
"C:\Users\Admin\AppData\Local\Temp\a563c50c5fa0fd541248acaf72cc4e7d.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\aOLkrjIygrep.exe
  "C:\Users\Admin\AppData\Local\Temp\aOLkrjIygrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1224
- C:\Users\Admin\AppData\Local\Temp\MugkIqqutlan.exe
  "C:\Users\Admin\AppData\Local\Temp\MugkIqqutlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:332
- C:\Users\Admin\AppData\Local\Temp\XFgYGlljTlan.exe
  "C:\Users\Admin\AppData\Local\Temp\XFgYGlljTlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1628
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2684
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2696
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3860
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3880
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2856
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/332-21-0x0000000000550000-0x0000000000574000-memory.dmp

Filesize
144KB

Download
memory/1628-30-0x00000000004B0000-0x00000000004D4000-memory.dmp

Filesize
144KB

Download
memory/1732-2-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1732-5-0x0000000000380000-0x00000000003A2000-memory.dmp

Filesize
136KB

Download
memory/1732-4-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1732-3-0x0000000000590000-0x00000000005B4000-memory.dmp

Filesize
144KB

Download