djvu | 377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1

General

Target

377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
Size

797KB
MD5

3a4f43491ddd022ab7e01519a5ed8943
SHA1

0166b01cb32ca9f0e3d3fa4f219c3b311cf95866
SHA256

377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1
SHA512

55348b4108dfe6fdde451180f229338b9f71bea665db74be71b28332992082741d6cd3a8886114b70ba16cef1a8c9f98a2d2af888cdfa7fce784da8f06194b8b

Score

10^/10

djvu vidar 517 discovery persistence ransomware stealer suricata

Malware Config

Extracted

Family

vidar

Version

52.1

Botnet

517

C2

https://t.me/verstappenf1r

https://climatejustice.social/@ronxik312

Attributes

profile_id
517

Signatures

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata

Vidar Stealer 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/3212-145-0x0000000000400000-0x000000000044C000-memory.dmp	family_vidar
behavioral1/memory/2724-144-0x00000000008D0000-0x0000000000919000-memory.dmp	family_vidar
behavioral1/memory/3212-143-0x0000000000400000-0x000000000044C000-memory.dmp	family_vidar
behavioral1/memory/3212-141-0x000000000042103C-mapping.dmp	family_vidar
behavioral1/memory/3212-140-0x0000000000400000-0x000000000044C000-memory.dmp	family_vidar
behavioral1/memory/3212-146-0x0000000000400000-0x000000000044C000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

build2.exebuild2.exe

pid process

2724 build2.exe
3212 build2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3164 icacls.exe

pid	process
2724	build2.exe
3212	build2.exe

pid	process
3164	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\14a5293f-052d-445d-b3c7-663c66bd65bf\\377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe\" --AutoStart"	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 api.2ip.ua
9 api.2ip.ua
1 api.2ip.ua

flow	ioc
2	api.2ip.ua
9	api.2ip.ua
1	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exebuild2.exe

description	pid	process	target process
PID 3940 set thread context of 3772	3940	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 980 set thread context of 2248	980	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 2724 set thread context of 3212	2724	build2.exe	build2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe

pid	process
3772	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
3772	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
2248	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
2248	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exebuild2.exe

C:\Users\Admin\AppData\Local\Temp\377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
"C:\Users\Admin\AppData\Local\Temp\377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\AppData\Local\Temp\377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
  "C:\Users\Admin\AppData\Local\Temp\377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe"
  2⤵
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\14a5293f-052d-445d-b3c7-663c66bd65bf" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:3164
- - C:\Users\Admin\AppData\Local\Temp\377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
    "C:\Users\Admin\AppData\Local\Temp\377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Users\Admin\AppData\Local\Temp\377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
      "C:\Users\Admin\AppData\Local\Temp\377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2248
    - - C:\Users\Admin\AppData\Local\e624e9ef-5621-4c32-b562-c0b94c5557fd\build2.exe
        
        "C:\Users\Admin\AppData\Local\e624e9ef-5621-4c32-b562-c0b94c5557fd\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Users\Admin\AppData\Local\e624e9ef-5621-4c32-b562-c0b94c5557fd\build2.exe
        
        "C:\Users\Admin\AppData\Local\e624e9ef-5621-4c32-b562-c0b94c5557fd\build2.exe"
        6⤵
        Executes dropped EXE
        
        PID:3212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
727B

MD5
263d12469947e2539c2a2a04bb056345

SHA1
a63fd9efc397db4cc1a82cf89b7fc8e0f6694d39

SHA256
102af65a56e5cea616b871487be0aa8525e3258d514ca80d3a2918c3a4f23315

SHA512
571bd3d3ec72023ea4ec0861baeff535fc3e71716f2c08c3305f25d615448b13a4d4bc0f7d05c500f523ad13e6ba3c2e2549891c63cc170b7f1743bc8a148df1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
471B

MD5
1670ab0904b0779e9046a6c0ae0ccf8b

SHA1
0030369be3da0ef23ac809d8963fdeb76de17eeb

SHA256
34a5f72509ddfed75552cbb5007e460c9c9f6dc6c511b12e32083b1a9c030ba5

SHA512
e0cf63ec3f97979c2ad1318954f2daecc3639c3112548796ba8996eb119443a4bca933e1353f1dfd4068de7925ef765a3a9f4f5591702c5876b9a46246415e7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
402B

MD5
ddf711a8a4c7f13f2d1049d353ef2ba6

SHA1
0ec297677bb3afe654045dade1e3a08025fa3b2d

SHA256
2fefb9c32f0d2aa3a79badc5a861893f5f016809f7a10d6eafca2c66e4f7bc76

SHA512
09754a904d7093a92138430ca2a34b5267244738ada563914f3845c9e02282641e655a2d757ff7a5fce58160a1859acc91ee0db37c1f247290f3dfb38fd73c2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
396B

MD5
9e7368b706ffcc7b8803adc29cb79de5

SHA1
fcb993bf2cb0ce88e53ffab0ef7a300a58f5ae7c

SHA256
09fa000796f3ff9be8563fdb73bda63823c65db5f62cf4d75f4f9935115d8cd8

SHA512
76d6056f6d819255d5afbababd2bf06aee9775d1fb0bc7d114085846c73ecaee060b9ec77e554ba7271348754937acf5abf0cdbd1bbd504faaf53afad383813e

Download Submit
C:\Users\Admin\AppData\Local\14a5293f-052d-445d-b3c7-663c66bd65bf\377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe

Filesize
797KB

MD5
3a4f43491ddd022ab7e01519a5ed8943

SHA1
0166b01cb32ca9f0e3d3fa4f219c3b311cf95866

SHA256
377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1

SHA512
55348b4108dfe6fdde451180f229338b9f71bea665db74be71b28332992082741d6cd3a8886114b70ba16cef1a8c9f98a2d2af888cdfa7fce784da8f06194b8b

Download Submit
C:\Users\Admin\AppData\Local\e624e9ef-5621-4c32-b562-c0b94c5557fd\build2.exe

Filesize
367KB

MD5
3107999f9600f5f2bc88e17282da2773

SHA1
8862f9551fdb7dc30e135c556751b973f441e7b4

SHA256
aacab9cbbf292403a63bcfd1f6f0a9e534ac39aab406f2c9d7aa98b719f3801f

SHA512
50c66565fc457b848014eaf70b3f7cc408e8a818bd29c80daf53597a44c182d26649c249a6e3fe7e6516fc7ff7e7026f3aff4b25ee48645789fa6cd3d3e2f338

Download Submit
C:\Users\Admin\AppData\Local\e624e9ef-5621-4c32-b562-c0b94c5557fd\build2.exe

Filesize
367KB

MD5
3107999f9600f5f2bc88e17282da2773

SHA1
8862f9551fdb7dc30e135c556751b973f441e7b4

SHA256
aacab9cbbf292403a63bcfd1f6f0a9e534ac39aab406f2c9d7aa98b719f3801f

SHA512
50c66565fc457b848014eaf70b3f7cc408e8a818bd29c80daf53597a44c182d26649c249a6e3fe7e6516fc7ff7e7026f3aff4b25ee48645789fa6cd3d3e2f338

Download Submit
C:\Users\Admin\AppData\Local\e624e9ef-5621-4c32-b562-c0b94c5557fd\build2.exe

Filesize
367KB

MD5
3107999f9600f5f2bc88e17282da2773

SHA1
8862f9551fdb7dc30e135c556751b973f441e7b4

SHA256
aacab9cbbf292403a63bcfd1f6f0a9e534ac39aab406f2c9d7aa98b719f3801f

SHA512
50c66565fc457b848014eaf70b3f7cc408e8a818bd29c80daf53597a44c182d26649c249a6e3fe7e6516fc7ff7e7026f3aff4b25ee48645789fa6cd3d3e2f338

Download Submit
memory/980-125-0x0000000000000000-mapping.dmp

Download
memory/2248-135-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2248-130-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2248-129-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2248-128-0x0000000000424141-mapping.dmp

Download
memory/2724-144-0x00000000008D0000-0x0000000000919000-memory.dmp

Filesize
292KB

Download
memory/2724-136-0x0000000000000000-mapping.dmp

Download
memory/3164-123-0x0000000000000000-mapping.dmp

Download
memory/3212-145-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3212-143-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3212-141-0x000000000042103C-mapping.dmp

Download
memory/3212-140-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3212-146-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3772-121-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3772-118-0x0000000000424141-mapping.dmp

Download
memory/3772-122-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3772-117-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3772-119-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3940-120-0x0000000002880000-0x000000000299B000-memory.dmp

Filesize
1.1MB

Download

description	pid	process	target process
PID 3940 wrote to memory of 3772	3940	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 3940 wrote to memory of 3772	3940	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 3940 wrote to memory of 3772	3940	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 3940 wrote to memory of 3772	3940	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 3940 wrote to memory of 3772	3940	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 3940 wrote to memory of 3772	3940	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 3940 wrote to memory of 3772	3940	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 3940 wrote to memory of 3772	3940	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 3940 wrote to memory of 3772	3940	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 3940 wrote to memory of 3772	3940	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 3772 wrote to memory of 3164	3772	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	icacls.exe
PID 3772 wrote to memory of 3164	3772	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	icacls.exe
PID 3772 wrote to memory of 3164	3772	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	icacls.exe
PID 3772 wrote to memory of 980	3772	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 3772 wrote to memory of 980	3772	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 3772 wrote to memory of 980	3772	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 980 wrote to memory of 2248	980	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 980 wrote to memory of 2248	980	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 980 wrote to memory of 2248	980	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 980 wrote to memory of 2248	980	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 980 wrote to memory of 2248	980	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 980 wrote to memory of 2248	980	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 980 wrote to memory of 2248	980	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 980 wrote to memory of 2248	980	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 980 wrote to memory of 2248	980	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 980 wrote to memory of 2248	980	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe
PID 2248 wrote to memory of 2724	2248	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	build2.exe
PID 2248 wrote to memory of 2724	2248	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	build2.exe
PID 2248 wrote to memory of 2724	2248	377905232b3368e37412883e9103b01b63c4845977c02a3c99f14be2f85d92c1.exe	build2.exe
PID 2724 wrote to memory of 3212	2724	build2.exe	build2.exe
PID 2724 wrote to memory of 3212	2724	build2.exe	build2.exe
PID 2724 wrote to memory of 3212	2724	build2.exe	build2.exe
PID 2724 wrote to memory of 3212	2724	build2.exe	build2.exe
PID 2724 wrote to memory of 3212	2724	build2.exe	build2.exe
PID 2724 wrote to memory of 3212	2724	build2.exe	build2.exe
PID 2724 wrote to memory of 3212	2724	build2.exe	build2.exe
PID 2724 wrote to memory of 3212	2724	build2.exe	build2.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads