satana | ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d

General

Target

ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe
Size

34KB
MD5

d236fcc8789f94f085137058311e848b
SHA1

808061052c9efc7c7255ffeb92c77b02bbb8cfee
SHA256

ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d
SHA512

730c6bf2d17a6fd4b1de4a361848381256187e3cda1133f8d990107a44274078486b310f97751eef771e1e618c2e233f8852a4d61dc93b5ed1c757131e58948d

Score

10^/10

satana bootkit persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note

You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: 2811CAB3DC2A63CEB89AED116AECF3F1 and pay on a Bitcoin Wallet: XsrR2he2Z8un5ysGWnJ1wveZRPRS96XEoX total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: 2811CAB3DC2A63CEB89AED116AECF3F1 this is code; you must send BTC: XsrR2he2Z8un5ysGWnJ1wveZRPRS96XEoX here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Emails

[email protected]

Signatures

Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
ransomware satana
Executes dropped EXE 1 IoCs

Processes:

djayegu.exe

pid process

2596 djayegu.exe

pid	process
2596	djayegu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iejdtqsd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt"	ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

djayegu.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 djayegu.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	djayegu.exe

Drops file in Windows directory 3 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 49 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132894048892123824"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4088"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4324"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.724166"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.785694"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

TiWorker.exedjayegu.exe

description	pid	process
Token: SeSecurityPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeSecurityPrivilege	3888	TiWorker.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeSecurityPrivilege	3888	TiWorker.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeSecurityPrivilege	3888	TiWorker.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeSecurityPrivilege	3888	TiWorker.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeSecurityPrivilege	3888	TiWorker.exe
Token: SeIncBasePriorityPrivilege	2596	djayegu.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeSecurityPrivilege	3888	TiWorker.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeSecurityPrivilege	3888	TiWorker.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeSecurityPrivilege	3888	TiWorker.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeSecurityPrivilege	3888	TiWorker.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeSecurityPrivilege	3888	TiWorker.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeSecurityPrivilege	3888	TiWorker.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeSecurityPrivilege	3888	TiWorker.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeSecurityPrivilege	3888	TiWorker.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeSecurityPrivilege	3888	TiWorker.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeSecurityPrivilege	3888	TiWorker.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeSecurityPrivilege	3888	TiWorker.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeSecurityPrivilege	3888	TiWorker.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeSecurityPrivilege	3888	TiWorker.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeSecurityPrivilege	3888	TiWorker.exe
Token: SeBackupPrivilege	3888	TiWorker.exe
Token: SeRestorePrivilege	3888	TiWorker.exe
Token: SeSecurityPrivilege	3888	TiWorker.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe

description	pid	process	target process
PID 3796 wrote to memory of 2596	3796	ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe	djayegu.exe
PID 3796 wrote to memory of 2596	3796	ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe	djayegu.exe
PID 3796 wrote to memory of 2596	3796	ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe	djayegu.exe

C:\Users\Admin\AppData\Local\Temp\ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe
"C:\Users\Admin\AppData\Local\Temp\ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3796

C:\Users\Admin\AppData\Local\Temp\djayegu.exe
"C:\Users\Admin\AppData\Local\Temp\djayegu.exe" {be652f30-73f6-11ec-82c1-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\EE9377~1.EXE"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:2252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3956

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\!satana!.txt
MD5
5aa769e81f1eb26ab89e159497ee6228

SHA1
72a2d9fa783dec078ba363b9ae3531dc1366060a

SHA256
daa05908a383bf67d811fbc72878f7ddaa473da79bb8403a0e91eff7580c0148

SHA512
0de30004da336d9df8989aa69f577181c918a0cd8b0a4fa321d8509224ae393476d328c646f0cf63e1474e91b5f362928e31f998ed7e0c29a67b4eb4ba7ad243

Download Submit
C:\Users\Admin\AppData\Local\Temp\djayegu.exe
MD5
d236fcc8789f94f085137058311e848b

SHA1
808061052c9efc7c7255ffeb92c77b02bbb8cfee

SHA256
ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d

SHA512
730c6bf2d17a6fd4b1de4a361848381256187e3cda1133f8d990107a44274078486b310f97751eef771e1e618c2e233f8852a4d61dc93b5ed1c757131e58948d

Download Submit
C:\Users\Admin\AppData\Local\Temp\djayegu.exe
MD5
d236fcc8789f94f085137058311e848b

SHA1
808061052c9efc7c7255ffeb92c77b02bbb8cfee

SHA256
ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d

SHA512
730c6bf2d17a6fd4b1de4a361848381256187e3cda1133f8d990107a44274078486b310f97751eef771e1e618c2e233f8852a4d61dc93b5ed1c757131e58948d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads