djvu | e9a78c00f0c651f605119a584225f7ac87ef48eff719b6b4414931c88e7df7df

General

Target

c80ad6ada1635b8bca10287561eeae15.exe
Size

693KB
MD5

c80ad6ada1635b8bca10287561eeae15
SHA1

adcdbf7bffc69fb590785637a9a78a195421a375
SHA256

e9a78c00f0c651f605119a584225f7ac87ef48eff719b6b4414931c88e7df7df
SHA512

b08ae40cedcace5a918553923dc5a87ea488364c948fe5f3562d2a6353eac0a31779ecd18ef30770b3a5a2098ea7ec8886dc09b73026e407ebc52c39222025ba

Score

10^/10

djvu discovery persistence ransomware suricata

Malware Config

Signatures

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1268-61-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1268-60-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1120-63-0x0000000001E80000-0x0000000001F9B000-memory.dmp	family_djvu
behavioral1/memory/1268-64-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1644-69-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1644-71-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1712 icacls.exe

pid	process
1712	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c80ad6ada1635b8bca10287561eeae15.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\32879844-93a0-41da-9847-ad909d1bd73b\\c80ad6ada1635b8bca10287561eeae15.exe\" --AutoStart"	c80ad6ada1635b8bca10287561eeae15.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.2ip.ua
4 api.2ip.ua
14 api.2ip.ua

flow	ioc
3	api.2ip.ua
4	api.2ip.ua
14	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

Processes:

c80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exe

description	pid	process	target process
PID 1120 set thread context of 1268	1120	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1780 set thread context of 1644	1780	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

c80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	c80ad6ada1635b8bca10287561eeae15.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c80ad6ada1635b8bca10287561eeae15.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c80ad6ada1635b8bca10287561eeae15.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	c80ad6ada1635b8bca10287561eeae15.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c80ad6ada1635b8bca10287561eeae15.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

c80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exe

pid	process
1268	c80ad6ada1635b8bca10287561eeae15.exe
1268	c80ad6ada1635b8bca10287561eeae15.exe
1644	c80ad6ada1635b8bca10287561eeae15.exe
1644	c80ad6ada1635b8bca10287561eeae15.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

c80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exe

C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe
"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe
"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\32879844-93a0-41da-9847-ad909d1bd73b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1712

C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe
"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe
"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
57ba3fd55153ccfffc38981d45eb27ef

SHA1
8b89079e2a405fe04a1a87fe901d88982ef516cb

SHA256
19d84b87ec3acb0894fbbb2c95b23053373568282aa6817da64607ed3225dcef

SHA512
58ae33ebb38e6bec6332b9085f8b41850b53d7de804bc87a462f9ce7b1e960051d3682fb87a14c159041a7577a36af95cb2edf971e4d23c902d583da9945c0b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
3f5ce173eed18d061760acea4c8f69f3

SHA1
c8a02499ede88cb10496fbbc77fee1f2757e6629

SHA256
b7666f21ebc73a75f02fefbf7d6f17700897b69301eae07ce4bab6b32ab107c8

SHA512
22f7b2af2a230e7f6ae2830d27b5769c07f0c3f8d327cfb6be6a4c632af012e823e303514c62dac8f70c973e4df81aeba10138a930d4a8880caf18c8a7062d24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
64d13837edfef4a89a9c623492a9b332

SHA1
01e0278dd285aa11a8f14a7177bd846f4d9f5ff5

SHA256
045bd2ff2ad748066903bbd0b22d201b5175f118b210799f5e7067baa29181aa

SHA512
4d18075c7568a177ea299c6f0805d984bc8081b16e539b90c20600ccc742f06c6968efe07016d85f49b9db7a7d29f9d26abdb4d33eceb1e188ad574a3b2f393e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
cb3eff6c7111580186680fc931e85a95

SHA1
41fb5b04f05c2c51de0fbb8b6872b3b751f8ac90

SHA256
21a68bfb667edbd127bb4c4aff22789b47429be36e1dbe8c398ccfe1fa865392

SHA512
5689cd8573ae0adc3bbd7defda4e4a81040fd7de0efe3e0891a2305b5a4c65686f9af0b1d48cf61ea12d2849d208171a3496e21d49ddb64cb905dc073cc9285f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
7ab4d897a68e71acd00e32db66040bcc

SHA1
a7f12ca1c366da9a6028a180343cfe00dd0ce291

SHA256
1286aebae5c0eeaaaf83555eab07ed0907ebac7ee3fae8f5abb8039c74138de8

SHA512
6494d373e0e0ae84ce10c4de498da0b7489cc13ac74ebeb63478e48c1c88bade6b17c826685e927f64e6eb4c7a5030f22807524f6a14112ba83356eef85c62fa

Download Submit
C:\Users\Admin\AppData\Local\32879844-93a0-41da-9847-ad909d1bd73b\c80ad6ada1635b8bca10287561eeae15.exe
MD5
c80ad6ada1635b8bca10287561eeae15

SHA1
adcdbf7bffc69fb590785637a9a78a195421a375

SHA256
e9a78c00f0c651f605119a584225f7ac87ef48eff719b6b4414931c88e7df7df

SHA512
b08ae40cedcace5a918553923dc5a87ea488364c948fe5f3562d2a6353eac0a31779ecd18ef30770b3a5a2098ea7ec8886dc09b73026e407ebc52c39222025ba

Download Submit
memory/1120-63-0x0000000001E80000-0x0000000001F9B000-memory.dmp

Filesize
1.1MB

Download
memory/1268-64-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1268-61-0x0000000000424141-mapping.dmp

Download
memory/1268-62-0x0000000074D91000-0x0000000074D93000-memory.dmp

Filesize
8KB

Download
memory/1268-60-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1644-71-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1644-69-0x0000000000424141-mapping.dmp

Download
memory/1712-65-0x0000000000000000-mapping.dmp

Download
memory/1780-67-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1120 wrote to memory of 1268	1120	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1120 wrote to memory of 1268	1120	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1120 wrote to memory of 1268	1120	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1120 wrote to memory of 1268	1120	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1120 wrote to memory of 1268	1120	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1120 wrote to memory of 1268	1120	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1120 wrote to memory of 1268	1120	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1120 wrote to memory of 1268	1120	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1120 wrote to memory of 1268	1120	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1120 wrote to memory of 1268	1120	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1120 wrote to memory of 1268	1120	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1268 wrote to memory of 1712	1268	c80ad6ada1635b8bca10287561eeae15.exe	icacls.exe
PID 1268 wrote to memory of 1712	1268	c80ad6ada1635b8bca10287561eeae15.exe	icacls.exe
PID 1268 wrote to memory of 1712	1268	c80ad6ada1635b8bca10287561eeae15.exe	icacls.exe
PID 1268 wrote to memory of 1712	1268	c80ad6ada1635b8bca10287561eeae15.exe	icacls.exe
PID 1268 wrote to memory of 1780	1268	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1268 wrote to memory of 1780	1268	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1268 wrote to memory of 1780	1268	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1268 wrote to memory of 1780	1268	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1780 wrote to memory of 1644	1780	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1780 wrote to memory of 1644	1780	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1780 wrote to memory of 1644	1780	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1780 wrote to memory of 1644	1780	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1780 wrote to memory of 1644	1780	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1780 wrote to memory of 1644	1780	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1780 wrote to memory of 1644	1780	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1780 wrote to memory of 1644	1780	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1780 wrote to memory of 1644	1780	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1780 wrote to memory of 1644	1780	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1780 wrote to memory of 1644	1780	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads