b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5

General

Target

B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
Size

394KB
MD5

f7533c6cdcaf5f39b1656e6d93644639
SHA1

a5720fac0e88fd0c5c717ea5bb9f451f1ef7aa43
SHA256

b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5
SHA512

5fdf0227d08eadd2238e66839c3b5b23d45db7493d9809f3db4ae3cf129a4dae10df1e98c1ebabbb8d48a7003a034bf958fb1fd34bf9f283d30903ffdb6d6e0b

Score

10^/10

persistence upx

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 504 created 804 504 WerFault.exe B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

description	pid	process	target process
PID 504 created 804	504	WerFault.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\msa\\wimpr.exe"	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\msa\\wimpr.exe"	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

Executes dropped EXE 2 IoCs

Processes:

wimpr.exewimpr.exe

pid process

3976 wimpr.exe
800 wimpr.exe

pid	process
3976	wimpr.exe
800	wimpr.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3720-116-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3720-118-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/804-156-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/800-166-0x0000000000400000-0x0000000000457000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exewimpr.exe

description	pid	process	target process
PID 1000 set thread context of 3720	1000	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3976 set thread context of 800	3976	wimpr.exe	wimpr.exe

Drops file in Windows directory 3 IoCs

Processes:

B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exewimpr.exe

description	ioc	process
File created	C:\Windows\msa\wimpr.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
File opened for modification	C:\Windows\msa\wimpr.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
File opened for modification	C:\Windows\msa\wimpr.exe	wimpr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2216	804	WerFault.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
2336	800	WerFault.exe	wimpr.exe
504	804	WerFault.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	process
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe
504	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

pid process

804 B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

pid	process
804	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeBackupPrivilege	804	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
Token: SeRestorePrivilege	804	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
Token: SeDebugPrivilege	804	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
Token: SeDebugPrivilege	804	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
Token: SeRestorePrivilege	2216	WerFault.exe
Token: SeBackupPrivilege	2216	WerFault.exe
Token: SeDebugPrivilege	2216	WerFault.exe
Token: SeDebugPrivilege	2336	WerFault.exe
Token: SeDebugPrivilege	504	WerFault.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exewimpr.exe

pid process

1000 B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
3976 wimpr.exe

pid	process
1000	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
3976	wimpr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exeB23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

C:\Users\Admin\AppData\Local\Temp\B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
"C:\Users\Admin\AppData\Local\Temp\B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Local\Temp\B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
"C:\Users\Admin\AppData\Local\Temp\B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe"
2⤵
- Adds policy Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3720

C:\Users\Admin\AppData\Local\Temp\B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
"C:\Users\Admin\AppData\Local\Temp\B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe"
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 1408
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\msa\wimpr.exe
"C:\Windows\msa\wimpr.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3976

C:\Windows\msa\wimpr.exe
"C:\Windows\msa\wimpr.exe"
5⤵
- Executes dropped EXE
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 620
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 1524
4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
MD5
2329955df695945d28ce7f39994959ed

SHA1
8d39f0158bc5d0ce56c24c5864327e8860007549

SHA256
d6eef09754540671f0afa7a2dca8fa284570daed3b7081959d42aa71affebc4f

SHA512
38391aeed6f7da7f13273cfcffd1b7579fe7c3c0f070e42c1f2de5e99ac5a72ceed79d27039868fa4b7649bc35d0e3df0b55a546381f9ab8f4ac7a8aa17d0109

Download Submit
C:\Windows\msa\wimpr.exe
MD5
f7533c6cdcaf5f39b1656e6d93644639

SHA1
a5720fac0e88fd0c5c717ea5bb9f451f1ef7aa43

SHA256
b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5

SHA512
5fdf0227d08eadd2238e66839c3b5b23d45db7493d9809f3db4ae3cf129a4dae10df1e98c1ebabbb8d48a7003a034bf958fb1fd34bf9f283d30903ffdb6d6e0b

Download Submit
C:\Windows\msa\wimpr.exe
MD5
f7533c6cdcaf5f39b1656e6d93644639

SHA1
a5720fac0e88fd0c5c717ea5bb9f451f1ef7aa43

SHA256
b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5

SHA512
5fdf0227d08eadd2238e66839c3b5b23d45db7493d9809f3db4ae3cf129a4dae10df1e98c1ebabbb8d48a7003a034bf958fb1fd34bf9f283d30903ffdb6d6e0b

Download Submit
C:\Windows\msa\wimpr.exe
MD5
f7533c6cdcaf5f39b1656e6d93644639

SHA1
a5720fac0e88fd0c5c717ea5bb9f451f1ef7aa43

SHA256
b23d910f08643f0c79f08297aad168634e6f5a5552eb469f4b7e0bce2b0568b5

SHA512
5fdf0227d08eadd2238e66839c3b5b23d45db7493d9809f3db4ae3cf129a4dae10df1e98c1ebabbb8d48a7003a034bf958fb1fd34bf9f283d30903ffdb6d6e0b

Download Submit
memory/800-166-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/800-164-0x0000000000454FE0-mapping.dmp

Download
memory/804-156-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/804-121-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/804-122-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/804-120-0x0000000000000000-mapping.dmp

Download
memory/3720-116-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3720-118-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3720-117-0x0000000000454FE0-mapping.dmp

Download
memory/3976-159-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1000 wrote to memory of 3720	1000	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1000 wrote to memory of 3720	1000	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1000 wrote to memory of 3720	1000	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1000 wrote to memory of 3720	1000	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1000 wrote to memory of 3720	1000	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1000 wrote to memory of 3720	1000	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1000 wrote to memory of 3720	1000	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 1000 wrote to memory of 3720	1000	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe
PID 3720 wrote to memory of 804	3720	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe	B23D910F08643F0C79F08297AAD168634E6F5A5552EB4.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads