djvu | 1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813

General

Target

1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
Size

841KB
MD5

bd2e92f812723f915ebe18bd706a782b
SHA1

fa60fa5e462c24d2ba7e103a8fd0674393545e9d
SHA256

1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813
SHA512

a7c3624a9eed59f9ab6f4f8a7a93585eaca0072fe9b9eac41c88df05dc354810b7ddfbeb0199908c559cfadd1c2139fb54d544ce98d421dd2e11418d757d0f17

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

C2

http://tzgl.org/lancer/get.php

Attributes

extension
.hgsh
offline_id
gYuqQ5GsAaJom08TivUVhlPzZDKd916x4NcXrWt1
payload_url
http://kotob.top/dl/build2.exe

http://tzgl.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-m8LBBi8x8F Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0358Sigrj

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2600-120-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/2600-119-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3560-121-0x0000000000730000-0x000000000084B000-memory.dmp	family_djvu
behavioral1/memory/2600-124-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/864-128-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/864-129-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

424 icacls.exe

pid	process
424	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\029b2a65-e39c-4a0b-8409-f393e3ecca1e\\1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe\" --AutoStart"	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 api.2ip.ua
17 api.2ip.ua
26 api.2ip.ua

flow	ioc
16	api.2ip.ua
17	api.2ip.ua
26	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

Processes:

1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe

description	pid	process	target process
PID 3560 set thread context of 2600	3560	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 868 set thread context of 864	868	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe

pid	process
2600	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
2600	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
864	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
864	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe

C:\Users\Admin\AppData\Local\Temp\1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
"C:\Users\Admin\AppData\Local\Temp\1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Users\Admin\AppData\Local\Temp\1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
  "C:\Users\Admin\AppData\Local\Temp\1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe"
  2⤵
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\029b2a65-e39c-4a0b-8409-f393e3ecca1e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:424
- - C:\Users\Admin\AppData\Local\Temp\1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
    "C:\Users\Admin\AppData\Local\Temp\1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Users\Admin\AppData\Local\Temp\1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
      "C:\Users\Admin\AppData\Local\Temp\1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
dfd1d8c11c8e104d9ca31b6b589fb717

SHA1
50e4a082219aa5c4e2376f1e9910a748287bef36

SHA256
7e5518f47ccc38390147991b40a3addde74cb52264f8808cf1088f5f711e2345

SHA512
31fea2c3cd0ad810a7a298251571ef14ac2445f8fe1fc5e806f26378a9397c47a04790b9a3c5a02af83c0e572878e7d6c59c7751a8be012902c1c86b699dd216

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
0ffb91dc0ac91e9630245216a5677aff

SHA1
d861ae5652a25d5f0396178818058150adf00273

SHA256
b88d9ca03ea0f1c5900d203f3e416f0fa159823801358261823b5898cd97fe6b

SHA512
063f2bce3ead49f7bd9a7c8aa21161f78a25362034c2973f4d4721001f475296b7aee221801b7dc28a342bb5f4688be58c999ff13e777a19d8eb8147a75bcbc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
b22da9a25d0e8632bfe2cf34705697fa

SHA1
f50957cb93ecaf25988008c3ba6bc1150561a9ac

SHA256
be136fee1e0fc2534147a7c2f6832e440e4a5829a0643feee0f150a7e9223eba

SHA512
00ea8c17e01979b718f9b9fa0c77eeb2d0aed7247f5db57b5031a3728f636e645596ec7f6699559a58370f98af51d2f66683e8d866bba0cfadd11148bd431dd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
16a4f9b777a35404ee22d8046f5e4ff1

SHA1
d54e5ba16222e56f050b3c530098fbfecf6fda4c

SHA256
525dab06cfebd63223d9363a4d739ba41c59bdbf382db7135f09035d5beef49b

SHA512
3acbbf761cc3f636f48c314c77ebf4bfac2c1cd78384591e802cb25bd0c5fb94aed41e347a79d3f467ef4dce8e51d825f2aa45161767f98f82bb53b8565928b3

Download Submit
C:\Users\Admin\AppData\Local\029b2a65-e39c-4a0b-8409-f393e3ecca1e\1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe

MD5
bd2e92f812723f915ebe18bd706a782b

SHA1
fa60fa5e462c24d2ba7e103a8fd0674393545e9d

SHA256
1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813

SHA512
a7c3624a9eed59f9ab6f4f8a7a93585eaca0072fe9b9eac41c88df05dc354810b7ddfbeb0199908c559cfadd1c2139fb54d544ce98d421dd2e11418d757d0f17

Download Submit
memory/424-122-0x0000000000000000-mapping.dmp

Download
memory/864-129-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/864-128-0x0000000000424141-mapping.dmp

Download
memory/868-125-0x0000000000000000-mapping.dmp

Download
memory/868-126-0x000000000071D000-0x00000000007AF000-memory.dmp

Filesize
584KB

Download
memory/2600-124-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2600-119-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2600-120-0x0000000000424141-mapping.dmp

Download
memory/3560-118-0x0000000000632000-0x00000000006C4000-memory.dmp

Filesize
584KB

Download
memory/3560-121-0x0000000000730000-0x000000000084B000-memory.dmp

Filesize
1.1MB

Download

description	pid	process	target process
PID 3560 wrote to memory of 2600	3560	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 3560 wrote to memory of 2600	3560	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 3560 wrote to memory of 2600	3560	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 3560 wrote to memory of 2600	3560	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 3560 wrote to memory of 2600	3560	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 3560 wrote to memory of 2600	3560	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 3560 wrote to memory of 2600	3560	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 3560 wrote to memory of 2600	3560	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 3560 wrote to memory of 2600	3560	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 3560 wrote to memory of 2600	3560	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 2600 wrote to memory of 424	2600	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	icacls.exe
PID 2600 wrote to memory of 424	2600	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	icacls.exe
PID 2600 wrote to memory of 424	2600	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	icacls.exe
PID 2600 wrote to memory of 868	2600	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 2600 wrote to memory of 868	2600	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 2600 wrote to memory of 868	2600	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 868 wrote to memory of 864	868	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 868 wrote to memory of 864	868	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 868 wrote to memory of 864	868	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 868 wrote to memory of 864	868	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 868 wrote to memory of 864	868	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 868 wrote to memory of 864	868	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 868 wrote to memory of 864	868	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 868 wrote to memory of 864	868	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 868 wrote to memory of 864	868	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe
PID 868 wrote to memory of 864	868	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe	1c9477d24296e2248a7f9e41bf65bdf472e608d3eb16cd7784e69c7c5592f813.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads