djvu | 004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af

General

Target

004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe
Size

707KB
MD5

a97ffe4f4a0109b5c0888b7958fad1e4
SHA1

e1d8944aad86ff8b86f10db20470e7d11e45eceb
SHA256

004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af
SHA512

6ceb2f0c605670f405dfc7424163a813c65c5d9f2a0ff9c49f3daa9f544414cde0d87bf6ffc1dd052bd4dc3efcb6915bc83bce35265d3d32865b0214804081f5

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

C2

http://nokd.top/ydtftysdtyftysdfsdpen3/get.php

Attributes

extension
.opqz
offline_id
zmgd82h65FItjbl56ff6P5GS3sZpZ1qEEGUOW6t1
payload_url
http://nokd.top/files/penelop/updatewin1.exe

http://nokd.top/files/penelop/updatewin2.exe

http://nokd.top/files/penelop/updatewin.exe

http://nokd.top/files/penelop/3.exe

http://nokd.top/files/penelop/4.exe

http://nokd.top/files/penelop/5.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-sBwlEg46JX Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0216OIWojlj48

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/884-57-0x0000000001D90000-0x0000000001EAA000-memory.dmp	family_djvu
behavioral1/memory/884-58-0x0000000000400000-0x0000000000560000-memory.dmp	family_djvu
behavioral1/memory/1604-65-0x0000000000400000-0x0000000000560000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1404 icacls.exe

pid	process
1404	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8be96c6c-2ce6-474b-97b8-48ec4bde2a37\\004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe\" --AutoStart"	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.2ip.ua
4 api.2ip.ua
16 api.2ip.ua
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
3	api.2ip.ua
4	api.2ip.ua
16	api.2ip.ua

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe

pid	process
884	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe
884	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe
1604	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe
1604	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe

description	pid	process	target process
PID 884 wrote to memory of 1404	884	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe	icacls.exe
PID 884 wrote to memory of 1404	884	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe	icacls.exe
PID 884 wrote to memory of 1404	884	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe	icacls.exe
PID 884 wrote to memory of 1404	884	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe	icacls.exe
PID 884 wrote to memory of 1604	884	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe
PID 884 wrote to memory of 1604	884	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe
PID 884 wrote to memory of 1604	884	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe
PID 884 wrote to memory of 1604	884	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe	004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe

C:\Users\Admin\AppData\Local\Temp\004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe
"C:\Users\Admin\AppData\Local\Temp\004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\8be96c6c-2ce6-474b-97b8-48ec4bde2a37" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:1404
- C:\Users\Admin\AppData\Local\Temp\004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe
  "C:\Users\Admin\AppData\Local\Temp\004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3538626A1FCCCA43C7E18F220BDD9B02

Filesize
978B

MD5
b592e5c624704ea7476cce4abe7445c2

SHA1
8ef51330304f98d636990030f73ec2b77c9d0c7a

SHA256
ee75f270c3a6c1ff56c8353538a8647de68070334115db73837be882c68ae6a2

SHA512
5dae484b9bd226c59e14a52b428f3e96312e7fba02b4c5105591a7615be3e808d54494cfae9d4d09ca64036fdc0e522eb3b85d8c59c4ddf159704df5b999b60e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
b9f21d8db36e88831e5352bb82c438b3

SHA1
4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

SHA256
998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

SHA512
d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
471B

MD5
b1c4234d2346ca5a2267de9f0bab4b81

SHA1
d6d10976b258ee86430063fdfb1838bb73838aeb

SHA256
e75d5e79323e42e337cf188a296db211f5d7dd488d03adf4b1be7836f997e3ed

SHA512
8b1d4c34ad847b73d060cb35dba350032be0a8cd82637a5c52805c078ea986ea44446040f588fb4edda4a233e424bdb6dc3ba016b7647936ec4ef4f971ff1e17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3538626A1FCCCA43C7E18F220BDD9B02

Filesize
274B

MD5
df1f549c10370fcc112ea72a67b6d1bf

SHA1
152dee3ea0872501b7f85b3ff4b73398d1c1d4b9

SHA256
107827371eea06797cb8f4feca31d729c48a3f1357364d276bf88e43f8408801

SHA512
510f37d88e63f3b54fce3848745dd3533577fdc11f6be04e280fdd215195b4fe5c4177e65468190955b52f71c6bcae4785a9e7b6dbdcdc3e2b20abad2624969d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6cb0026b6dc4b1cc5443d3ff52ad1f13

SHA1
0e12ad1a99b97023e56536c1d85b461f075caada

SHA256
a6100d11726812998e9351eae732874117b43ec80bfcd45e418b51bf6206eabd

SHA512
26911dd8712bd6cb20ff6baa253637cfa14fef8f1dceee741b0353f6566cde2be6a9643eb738b0d5381c59d4cb6f23556ac3859dc369776cf2bcc8f87da2fade

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
396B

MD5
be7e5e1fa9cb8790a0e3314cacf104ca

SHA1
62e9ca7e0eab2d2db093495ef4389ccb9a6b1333

SHA256
fe457df70888562f3bfd7794f84841aaafbb3b192fae0388ee0adb28371f28f5

SHA512
bb497f9f5636aff66bc749ddd8fbcdd3dd4084b2d5412e395970287d886235d3f05c548da43b019ba3b79f37b4e56667fecd97192e70a256c809052adb4581d9

Download Submit
C:\Users\Admin\AppData\Local\8be96c6c-2ce6-474b-97b8-48ec4bde2a37\004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af.exe

Filesize
707KB

MD5
a97ffe4f4a0109b5c0888b7958fad1e4

SHA1
e1d8944aad86ff8b86f10db20470e7d11e45eceb

SHA256
004cc8429fcb322e0acf0aadc15313c08cd4f2f56d77229b0f61a6e63d3c60af

SHA512
6ceb2f0c605670f405dfc7424163a813c65c5d9f2a0ff9c49f3daa9f544414cde0d87bf6ffc1dd052bd4dc3efcb6915bc83bce35265d3d32865b0214804081f5

Download Submit
memory/884-58-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/884-54-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/884-57-0x0000000001D90000-0x0000000001EAA000-memory.dmp

Filesize
1.1MB

Download
memory/884-56-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/884-55-0x0000000075941000-0x0000000075943000-memory.dmp

Filesize
8KB

Download
memory/1404-59-0x0000000000000000-mapping.dmp

Download
memory/1604-62-0x00000000007D0000-0x0000000000861000-memory.dmp

Filesize
580KB

Download
memory/1604-64-0x00000000007D0000-0x0000000000861000-memory.dmp

Filesize
580KB

Download
memory/1604-65-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/1604-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads