djvu | d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6

General

Target

d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
Size

854KB
MD5

a6302fea85ed3f4e505cd5751ca5b9c7
SHA1

9c7db8e46dbb562ab4be33a499c9d4fa30a75172
SHA256

d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6
SHA512

a33dea96679bab9bc2a98325898ff04c5a166a9a8ad799afd55375b0547c153a2136e404ea0ada1620f39e34f9a0b84d4b47545695a95fd4eafa177eb3384378

Score

10^/10

djvu discovery persistence ransomware suricata

Malware Config

Extracted

Family

djvu

C2

http://pqkl.org/lancer/get.php

Attributes

extension
.qmak
offline_id
mGOVYjwKN5zpBZyRsr2Nqza9xnxDzO1NGhAl47t1
payload_url
http://kotob.top/dl/build2.exe

http://pqkl.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-W7mpKFSSv2 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0348gSd743d

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3044-116-0x00000000049F0000-0x0000000004B0B000-memory.dmp	family_djvu
behavioral1/memory/2760-117-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2760-118-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/2760-119-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3164-125-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/3164-130-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2656 icacls.exe

pid	process
2656	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\432d7a55-2c21-46fb-8644-69980109aa17\\d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe\" --AutoStart"	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 api.2ip.ua
8 api.2ip.ua
9 api.2ip.ua

flow	ioc
26	api.2ip.ua
8	api.2ip.ua
9	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

Processes:

d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exed74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe

description	pid	process	target process
PID 3044 set thread context of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 1304 set thread context of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exed74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe

pid	process
2760	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
2760	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
3164	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
3164	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exed74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exed74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe

C:\Users\Admin\AppData\Local\Temp\d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
"C:\Users\Admin\AppData\Local\Temp\d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
  "C:\Users\Admin\AppData\Local\Temp\d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe"
  2⤵
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\432d7a55-2c21-46fb-8644-69980109aa17" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2656
- - C:\Users\Admin\AppData\Local\Temp\d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
    "C:\Users\Admin\AppData\Local\Temp\d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Users\Admin\AppData\Local\Temp\d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
      "C:\Users\Admin\AppData\Local\Temp\d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
d8ec7917c33f103a7288af33cae7de14

SHA1
285babb225e06e84a4050f140d21970ecd9d39ee

SHA256
467d7ceb2f929daba1e910064fad42123bb2ecd65f57423900bb3777e88b7e89

SHA512
9accf32dbfd9260dbfee95982c6487882828f86f3e090f598d6f426760c093886ba68ec664b7db942027320c1eb95029c45c98ea139308a491d0b15dab6aad79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
026c2a59b797991b8379df56c6ea513a

SHA1
266a2e055410708de4db7e704b4ed449006a1f2b

SHA256
21ed5e42cf0d63dffeb9e5d3711e6b760f84d8c8c1715d5f8bf9ea047a1dbabe

SHA512
809116817fd88a722ccaa7703a850e103e034aa20b351f50f5b29ee198352568a6aa06cd78b75c19e03757230d30058366f3c25aa043c02d9f7d5301f457cb80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
442f3e63c839e084c86a37ab048e0710

SHA1
8bf476ad5a738f5a0df899b09fcd94f744a27a90

SHA256
55f853690ae63f043eba17c4fb9f4750f8e8fa02a9a3e89f18e07545e703ebba

SHA512
d32b1a3989cee95e9447c502763596a2bfdb1b07837d112bc2df63160a3010f8cfe5d4d1c46c13f2707845ae80e0474a79fd4d9f7457e4d696e7a249f2b802e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
9a7fb0ef5f9beac856bfbd8418b6765b

SHA1
0af583a03be9fbbbd8779d30d001ced55aa17d26

SHA256
0bb36a53b0b3ebe12e6ff0772550a76665892b9c753bb5ad6bfb7d9e4be145e0

SHA512
9084414178722e70072d572e67a1ae3cb4550dcd38a9aca5e50bc9cf8af4e45ff85d143fea3d98e588933164c439850121cfeb182ddde075a053004a100b1b8b

Download Submit
C:\Users\Admin\AppData\Local\432d7a55-2c21-46fb-8644-69980109aa17\d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe

MD5
a6302fea85ed3f4e505cd5751ca5b9c7

SHA1
9c7db8e46dbb562ab4be33a499c9d4fa30a75172

SHA256
d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6

SHA512
a33dea96679bab9bc2a98325898ff04c5a166a9a8ad799afd55375b0547c153a2136e404ea0ada1620f39e34f9a0b84d4b47545695a95fd4eafa177eb3384378

Download Submit
memory/1304-123-0x00000000048C6000-0x0000000004957000-memory.dmp

Filesize
580KB

Download
memory/1304-122-0x0000000000000000-mapping.dmp

Download
memory/2656-120-0x0000000000000000-mapping.dmp

Download
memory/2760-118-0x0000000000424141-mapping.dmp

Download
memory/2760-119-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2760-117-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3044-115-0x000000000495A000-0x00000000049EB000-memory.dmp

Filesize
580KB

Download
memory/3044-116-0x00000000049F0000-0x0000000004B0B000-memory.dmp

Filesize
1.1MB

Download
memory/3164-125-0x0000000000424141-mapping.dmp

Download
memory/3164-130-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download

description	pid	process	target process
PID 3044 wrote to memory of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 3044 wrote to memory of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 3044 wrote to memory of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 3044 wrote to memory of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 3044 wrote to memory of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 3044 wrote to memory of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 3044 wrote to memory of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 3044 wrote to memory of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 3044 wrote to memory of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 3044 wrote to memory of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 2760 wrote to memory of 2656	2760	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	icacls.exe
PID 2760 wrote to memory of 2656	2760	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	icacls.exe
PID 2760 wrote to memory of 2656	2760	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	icacls.exe
PID 2760 wrote to memory of 1304	2760	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 2760 wrote to memory of 1304	2760	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 2760 wrote to memory of 1304	2760	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 1304 wrote to memory of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 1304 wrote to memory of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 1304 wrote to memory of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 1304 wrote to memory of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 1304 wrote to memory of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 1304 wrote to memory of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 1304 wrote to memory of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 1304 wrote to memory of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 1304 wrote to memory of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
PID 1304 wrote to memory of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads