djvu | e9a78c00f0c651f605119a584225f7ac87ef48eff719b6b4414931c88e7df7df

General

Target

c80ad6ada1635b8bca10287561eeae15.exe
Size

693KB
MD5

c80ad6ada1635b8bca10287561eeae15
SHA1

adcdbf7bffc69fb590785637a9a78a195421a375
SHA256

e9a78c00f0c651f605119a584225f7ac87ef48eff719b6b4414931c88e7df7df
SHA512

b08ae40cedcace5a918553923dc5a87ea488364c948fe5f3562d2a6353eac0a31779ecd18ef30770b3a5a2098ea7ec8886dc09b73026e407ebc52c39222025ba

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Signatures

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/832-54-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/832-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1564-56-0x0000000001EC0000-0x0000000001FDB000-memory.dmp	family_djvu
behavioral1/memory/832-57-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1796-62-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1796-64-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1184 icacls.exe

pid	process
1184	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c80ad6ada1635b8bca10287561eeae15.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\51175cde-ef7e-46d1-81f2-e2575b079f56\\c80ad6ada1635b8bca10287561eeae15.exe\" --AutoStart"	c80ad6ada1635b8bca10287561eeae15.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.2ip.ua
4 api.2ip.ua
12 api.2ip.ua

flow	ioc
3	api.2ip.ua
4	api.2ip.ua
12	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

Processes:

c80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exe

description	pid	process	target process
PID 1564 set thread context of 832	1564	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1464 set thread context of 1796	1464	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

c80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	c80ad6ada1635b8bca10287561eeae15.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c80ad6ada1635b8bca10287561eeae15.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c80ad6ada1635b8bca10287561eeae15.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	c80ad6ada1635b8bca10287561eeae15.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c80ad6ada1635b8bca10287561eeae15.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

c80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exe

pid	process
832	c80ad6ada1635b8bca10287561eeae15.exe
832	c80ad6ada1635b8bca10287561eeae15.exe
1796	c80ad6ada1635b8bca10287561eeae15.exe
1796	c80ad6ada1635b8bca10287561eeae15.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

c80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exe

C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe
"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe
"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\51175cde-ef7e-46d1-81f2-e2575b079f56" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1184

C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe
"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe
"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
57ba3fd55153ccfffc38981d45eb27ef

SHA1
8b89079e2a405fe04a1a87fe901d88982ef516cb

SHA256
19d84b87ec3acb0894fbbb2c95b23053373568282aa6817da64607ed3225dcef

SHA512
58ae33ebb38e6bec6332b9085f8b41850b53d7de804bc87a462f9ce7b1e960051d3682fb87a14c159041a7577a36af95cb2edf971e4d23c902d583da9945c0b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
3f5ce173eed18d061760acea4c8f69f3

SHA1
c8a02499ede88cb10496fbbc77fee1f2757e6629

SHA256
b7666f21ebc73a75f02fefbf7d6f17700897b69301eae07ce4bab6b32ab107c8

SHA512
22f7b2af2a230e7f6ae2830d27b5769c07f0c3f8d327cfb6be6a4c632af012e823e303514c62dac8f70c973e4df81aeba10138a930d4a8880caf18c8a7062d24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
303361333672ba3b50fe36b43b02e607

SHA1
49e13caeb47304c673b61f1be9c6741c59c79770

SHA256
bbffa4861bd5b16a21091e665425186b9cf1865a4c0e2574e9d23ac0c395efcd

SHA512
7b449ee68e5fe315dabb0a199437514c2e4cd2f9987e83fabb190f45c18e6c4ae8ef0e480f6e8b6dd293467a0589bf923471d51fcd861d8827955af9303b4363

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
9a95d5df807e5075ac21dc35b8734251

SHA1
8b88b6430fae817851531848b24224a163e69d53

SHA256
c2a209bd34ca8739c517498d2fbda4d14c781a98b9d7960657c213451c68cf59

SHA512
1f38c48f1a97c7b055f151b19c0c1a97dd3eea6a5196319abf3b202302ec2d4319ef17d7cd148837fc3a6e32c92733538f642de3dd9311f00d13d9fed11ed263

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
88c36d0ff9dd99a9aee01db5de2e1d8b

SHA1
b870cc0d11f04c2fe1263ce028e00515c130fedf

SHA256
dd4ad160a7f65b064219007c706796c2d0df746cec3e266de25cbb840fae85c4

SHA512
9da943d1f977fbf286a4b6032b85ead08ec64a2d78745839783ecd8857839cccbdc86cb10e32da9affe1460bdaa7824cd093d5f3a896851a0e7eed0e4b47476f

Download Submit
C:\Users\Admin\AppData\Local\51175cde-ef7e-46d1-81f2-e2575b079f56\c80ad6ada1635b8bca10287561eeae15.exe
MD5
c80ad6ada1635b8bca10287561eeae15

SHA1
adcdbf7bffc69fb590785637a9a78a195421a375

SHA256
e9a78c00f0c651f605119a584225f7ac87ef48eff719b6b4414931c88e7df7df

SHA512
b08ae40cedcace5a918553923dc5a87ea488364c948fe5f3562d2a6353eac0a31779ecd18ef30770b3a5a2098ea7ec8886dc09b73026e407ebc52c39222025ba

Download Submit
memory/832-57-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/832-54-0x0000000000424141-mapping.dmp

Download
memory/832-55-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/832-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1184-58-0x0000000000000000-mapping.dmp

Download
memory/1464-60-0x0000000000000000-mapping.dmp

Download
memory/1564-56-0x0000000001EC0000-0x0000000001FDB000-memory.dmp

Filesize
1.1MB

Download
memory/1796-62-0x0000000000424141-mapping.dmp

Download
memory/1796-64-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download

description	pid	process	target process
PID 1564 wrote to memory of 832	1564	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1564 wrote to memory of 832	1564	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1564 wrote to memory of 832	1564	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1564 wrote to memory of 832	1564	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1564 wrote to memory of 832	1564	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1564 wrote to memory of 832	1564	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1564 wrote to memory of 832	1564	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1564 wrote to memory of 832	1564	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1564 wrote to memory of 832	1564	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1564 wrote to memory of 832	1564	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1564 wrote to memory of 832	1564	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 832 wrote to memory of 1184	832	c80ad6ada1635b8bca10287561eeae15.exe	icacls.exe
PID 832 wrote to memory of 1184	832	c80ad6ada1635b8bca10287561eeae15.exe	icacls.exe
PID 832 wrote to memory of 1184	832	c80ad6ada1635b8bca10287561eeae15.exe	icacls.exe
PID 832 wrote to memory of 1184	832	c80ad6ada1635b8bca10287561eeae15.exe	icacls.exe
PID 832 wrote to memory of 1464	832	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 832 wrote to memory of 1464	832	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 832 wrote to memory of 1464	832	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 832 wrote to memory of 1464	832	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1464 wrote to memory of 1796	1464	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1464 wrote to memory of 1796	1464	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1464 wrote to memory of 1796	1464	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1464 wrote to memory of 1796	1464	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1464 wrote to memory of 1796	1464	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1464 wrote to memory of 1796	1464	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1464 wrote to memory of 1796	1464	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1464 wrote to memory of 1796	1464	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1464 wrote to memory of 1796	1464	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1464 wrote to memory of 1796	1464	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1464 wrote to memory of 1796	1464	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads