b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5

General

Target

B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
Size

394KB
MD5

f7533c6cdcaf5f39b1656e6d93644639
SHA1

a5720fac0e88fd0c5c717ea5bb9f451f1ef7aa43
SHA256

b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5
SHA512

5fdf0227d08eadd2238e66839c3b5b23d45db7493d9809f3db4ae3cf129a4dae10df1e98c1ebabbb8d48a7003a034bf958fb1fd34bf9f283d30903ffdb6d6e0b

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\msa\\wimpr.exe"	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\msa\\wimpr.exe"	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

Executes dropped EXE 2 IoCs

Processes:

wimpr.exewimpr.exe

pid process

1300 wimpr.exe
544 wimpr.exe

pid	process
1300	wimpr.exe
544	wimpr.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1268-61-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1268-64-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/832-115-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/544-116-0x0000000000400000-0x0000000000457000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

pid process

832 B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
832 B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

pid	process
832	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
832	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exewimpr.exe

description	pid	process	target process
PID 1040 set thread context of 1268	1040	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1300 set thread context of 544	1300	wimpr.exe	wimpr.exe

Drops file in Windows directory 3 IoCs

Processes:

B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exewimpr.exe

description	ioc	process
File created	C:\Windows\msa\wimpr.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
File opened for modification	C:\Windows\msa\wimpr.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
File opened for modification	C:\Windows\msa\wimpr.exe	wimpr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

pid process

832 B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

pid	process
832	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

description	pid	process
Token: SeBackupPrivilege	832	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
Token: SeRestorePrivilege	832	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
Token: SeDebugPrivilege	832	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
Token: SeDebugPrivilege	832	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exewimpr.exe

pid process

1040 B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
1300 wimpr.exe

pid	process
1040	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
1300	wimpr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exeB23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

C:\Users\Admin\AppData\Local\Temp\B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
"C:\Users\Admin\AppData\Local\Temp\B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
"C:\Users\Admin\AppData\Local\Temp\B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe"
2⤵
- Adds policy Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
"C:\Users\Admin\AppData\Local\Temp\B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe"
3⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\msa\wimpr.exe
"C:\Windows\msa\wimpr.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1300

C:\Windows\msa\wimpr.exe
"C:\Windows\msa\wimpr.exe"
5⤵
- Executes dropped EXE
PID:544

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" "C:\Users\Admin\AppData\Local\Temp\teste.vbs"
4⤵
PID:1648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
MD5
2329955df695945d28ce7f39994959ed

SHA1
8d39f0158bc5d0ce56c24c5864327e8860007549

SHA256
d6eef09754540671f0afa7a2dca8fa284570daed3b7081959d42aa71affebc4f

SHA512
38391aeed6f7da7f13273cfcffd1b7579fe7c3c0f070e42c1f2de5e99ac5a72ceed79d27039868fa4b7649bc35d0e3df0b55a546381f9ab8f4ac7a8aa17d0109

Download Submit
C:\Users\Admin\AppData\Local\Temp\teste.txt
MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\teste.vbs
MD5
615964e5ab63a70f0e205a476c48e356

SHA1
292620321db69d57ba23fa98d2a89484ddcf83d0

SHA256
38a2c0e90a7c86eb5355710dd205f22f84dbba59e688cd3da6394af8c924a102

SHA512
69886825baf2075f8e6cdc50b0b34f92d5d06d42db4586396fb3db806fef79986ba5754c7b1251b007cde4f943efe9e3d27800dd7e15f8084fd7e7e6046c3ccc

Download Submit
C:\Windows\msa\wimpr.exe
MD5
f7533c6cdcaf5f39b1656e6d93644639

SHA1
a5720fac0e88fd0c5c717ea5bb9f451f1ef7aa43

SHA256
b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5

SHA512
5fdf0227d08eadd2238e66839c3b5b23d45db7493d9809f3db4ae3cf129a4dae10df1e98c1ebabbb8d48a7003a034bf958fb1fd34bf9f283d30903ffdb6d6e0b

Download Submit
C:\Windows\msa\wimpr.exe
MD5
f7533c6cdcaf5f39b1656e6d93644639

SHA1
a5720fac0e88fd0c5c717ea5bb9f451f1ef7aa43

SHA256
b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5

SHA512
5fdf0227d08eadd2238e66839c3b5b23d45db7493d9809f3db4ae3cf129a4dae10df1e98c1ebabbb8d48a7003a034bf958fb1fd34bf9f283d30903ffdb6d6e0b

Download Submit
C:\Windows\msa\wimpr.exe
MD5
f7533c6cdcaf5f39b1656e6d93644639

SHA1
a5720fac0e88fd0c5c717ea5bb9f451f1ef7aa43

SHA256
b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5

SHA512
5fdf0227d08eadd2238e66839c3b5b23d45db7493d9809f3db4ae3cf129a4dae10df1e98c1ebabbb8d48a7003a034bf958fb1fd34bf9f283d30903ffdb6d6e0b

Download Submit
\Windows\msa\wimpr.exe
MD5
f7533c6cdcaf5f39b1656e6d93644639

SHA1
a5720fac0e88fd0c5c717ea5bb9f451f1ef7aa43

SHA256
b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5

SHA512
5fdf0227d08eadd2238e66839c3b5b23d45db7493d9809f3db4ae3cf129a4dae10df1e98c1ebabbb8d48a7003a034bf958fb1fd34bf9f283d30903ffdb6d6e0b

Download Submit
\Windows\msa\wimpr.exe
MD5
f7533c6cdcaf5f39b1656e6d93644639

SHA1
a5720fac0e88fd0c5c717ea5bb9f451f1ef7aa43

SHA256
b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5

SHA512
5fdf0227d08eadd2238e66839c3b5b23d45db7493d9809f3db4ae3cf129a4dae10df1e98c1ebabbb8d48a7003a034bf958fb1fd34bf9f283d30903ffdb6d6e0b

Download Submit
memory/544-77-0x0000000000454FE0-mapping.dmp

Download
memory/544-116-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/832-66-0x0000000000000000-mapping.dmp

Download
memory/832-115-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/832-81-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/832-80-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1268-61-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1268-64-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1268-63-0x0000000074F31000-0x0000000074F33000-memory.dmp

Filesize
8KB

Download
memory/1268-62-0x0000000000454FE0-mapping.dmp

Download
memory/1300-72-0x0000000000000000-mapping.dmp

Download
memory/1648-117-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1040 wrote to memory of 1268	1040	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1040 wrote to memory of 1268	1040	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1040 wrote to memory of 1268	1040	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1040 wrote to memory of 1268	1040	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1040 wrote to memory of 1268	1040	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1040 wrote to memory of 1268	1040	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1040 wrote to memory of 1268	1040	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1040 wrote to memory of 1268	1040	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1268 wrote to memory of 832	1268	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads