djvu | ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7

General

Target

ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
Size

797KB
MD5

3bd2860ed63fe32da31ab9c3a8c3498c
SHA1

5cfdb07bd9820ebc9731e348133774b311405509
SHA256

ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7
SHA512

9a9ea261733566d6ac9c498878e3ab192fb8382bf5b4129dc5e116578eb3177fe0a2944d0511db57fa02ffb24ff576e5defbdd80a43ff68d46c88ef72d323f62

Score

10^/10

djvu discovery persistence ransomware suricata

Malware Config

Extracted

Family

djvu

C2

http://tzgl.org/lancer/get.php

Attributes

extension
.yqal
offline_id
K3PMMX2aWwpnYby88Dzg7tmaIW7Tv0HMWvSyr7t1
payload_url
http://kotob.top/dl/build2.exe
http://tzgl.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-rIyEiK9ekc Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0356gSd743d

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3288-116-0x00000000022C0000-0x00000000023DB000-memory.dmp	family_djvu
behavioral1/memory/2644-117-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2644-118-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/2644-119-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2236-125-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/2236-126-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1788 icacls.exe

pid	process
1788	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2395cfe4-5a5c-4aa5-875c-4e763006f6f0\\ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe\" --AutoStart"	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.2ip.ua
9 api.2ip.ua
22 api.2ip.ua

flow	ioc
8	api.2ip.ua
9	api.2ip.ua
22	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

Processes:

ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exeee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe

description	pid	process	target process
PID 3288 set thread context of 2644	3288	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 624 set thread context of 2236	624	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exeee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe

pid	process
2644	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
2644	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
2236	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
2236	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exeee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exeee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe

C:\Users\Admin\AppData\Local\Temp\ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
"C:\Users\Admin\AppData\Local\Temp\ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3288

C:\Users\Admin\AppData\Local\Temp\ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
"C:\Users\Admin\AppData\Local\Temp\ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\2395cfe4-5a5c-4aa5-875c-4e763006f6f0" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1788

C:\Users\Admin\AppData\Local\Temp\ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
"C:\Users\Admin\AppData\Local\Temp\ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
"C:\Users\Admin\AppData\Local\Temp\ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
6a4823dd14ee6616a4ef99d2bea9a44c

SHA1
1b0952c188fce7f3a0014cb473a80a66f3c71337

SHA256
cef0b13034255ff54ac6ee3a35c93cd92fe3d80e5793c2b5e63c0a42fcc3ff98

SHA512
a41d2a3f5c827518c102487af315e1303a50578eb258f65c17591eba0bc027ee2aa0a4941c494b9b5eb89842382f60ab3fec66e15a3f77cbf03cbae6dd9974c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
efd1d8e8293f5bd8d688fef877221ccb

SHA1
55fd26b5c3ad5242aa08d1910c2e085d30489549

SHA256
43be67b3e85dd203dfabd04252b7b5a261b21ec846e11d760a4f07e70bf528c1

SHA512
755e7c67c4a0bc84debd21727d38dca438e7ea3ac8dc98b5f4140ae3f5de32c34aacd63c7cbfb110e1a2d3859089317a4401e07b7db5c36d2d167d9b764ec2cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
1c01a480e00e852229e5af52f86d4234

SHA1
4aae64a80d2e317047b5ec54203a8fc9a4a0923b

SHA256
7d4d990d2a38a1a789d708482c3c752e7a0498511ee4bcd661ca19f7f7ac6845

SHA512
0016444a7461526c35cf74243f54f888c95039710931a30a9e294687d0e97f2dbe30ea6069d2ed58f49129f9b1db6d3f7dbb1b3320d0602a993fee1051533b47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
b6cff28ad8e00936eec9a1495d853129

SHA1
f77c1d3bd260fd51af39c4ce7e0fda4f1047c4f0

SHA256
e4e81bcd4a5e89c57408c03dc664183a21679098b4d97f77f47275f314c18fee

SHA512
1439f93832fdc382741b09923103995b751653ca14bd66779b0da9bd995f1c390356b331da7ba35cd4b9e3cffa48cba9d26908ed33eb0343465aff6f2234c6bd

Download Submit
C:\Users\Admin\AppData\Local\2395cfe4-5a5c-4aa5-875c-4e763006f6f0\ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
MD5
3bd2860ed63fe32da31ab9c3a8c3498c

SHA1
5cfdb07bd9820ebc9731e348133774b311405509

SHA256
ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7

SHA512
9a9ea261733566d6ac9c498878e3ab192fb8382bf5b4129dc5e116578eb3177fe0a2944d0511db57fa02ffb24ff576e5defbdd80a43ff68d46c88ef72d323f62

Download Submit
memory/624-123-0x0000000002126000-0x00000000021B8000-memory.dmp

Filesize
584KB

Download
memory/624-122-0x0000000000000000-mapping.dmp

Download
memory/1788-120-0x0000000000000000-mapping.dmp

Download
memory/2236-125-0x0000000000424141-mapping.dmp

Download
memory/2236-126-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2644-119-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2644-118-0x0000000000424141-mapping.dmp

Download
memory/2644-117-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3288-115-0x000000000066B000-0x00000000006FD000-memory.dmp

Filesize
584KB

Download
memory/3288-116-0x00000000022C0000-0x00000000023DB000-memory.dmp

Filesize
1.1MB

Download

description	pid	process	target process
PID 3288 wrote to memory of 2644	3288	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 3288 wrote to memory of 2644	3288	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 3288 wrote to memory of 2644	3288	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 3288 wrote to memory of 2644	3288	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 3288 wrote to memory of 2644	3288	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 3288 wrote to memory of 2644	3288	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 3288 wrote to memory of 2644	3288	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 3288 wrote to memory of 2644	3288	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 3288 wrote to memory of 2644	3288	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 3288 wrote to memory of 2644	3288	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 2644 wrote to memory of 1788	2644	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	icacls.exe
PID 2644 wrote to memory of 1788	2644	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	icacls.exe
PID 2644 wrote to memory of 1788	2644	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	icacls.exe
PID 2644 wrote to memory of 624	2644	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 2644 wrote to memory of 624	2644	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 2644 wrote to memory of 624	2644	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 624 wrote to memory of 2236	624	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 624 wrote to memory of 2236	624	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 624 wrote to memory of 2236	624	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 624 wrote to memory of 2236	624	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 624 wrote to memory of 2236	624	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 624 wrote to memory of 2236	624	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 624 wrote to memory of 2236	624	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 624 wrote to memory of 2236	624	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 624 wrote to memory of 2236	624	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe
PID 624 wrote to memory of 2236	624	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe	ee7232883f14ea8e02751218805d313b2f57e686f7abd5ea855f2b65cf5e6cf7.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads