satana | ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72

General

Target

ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72.exe
Size

34KB
MD5

a5444dd6ee8773915096c31bd882e247
SHA1

88265756945984ebd5fe58827c39ca1f1a2bf487
SHA256

ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72
SHA512

1d535287436a2b30895860ca5e06784bc6d1a3c35f513e890d44ce3a84bbdead3ff39882929cce1e5a62a186999e639bd8473da2384f1c8f5326c993a3fc2247

Score

10^/10

satana bootkit persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note

You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: 2811CAB3DC2A63CEB89AED116AECF3F1 and pay on a Bitcoin Wallet: XbvKCGr8VowpBLwE8VxHNL2oL24ukKcNFw total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: 2811CAB3DC2A63CEB89AED116AECF3F1 this is code; you must send BTC: XbvKCGr8VowpBLwE8VxHNL2oL24ukKcNFw here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Emails

[email protected]

Signatures

Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
ransomware satana
Executes dropped EXE 1 IoCs

Processes:

innnvj.exe

pid process

3656 innnvj.exe

pid	process
3656	innnvj.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bgwkxqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt"	ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

innnvj.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 innnvj.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	innnvj.exe

Drops file in Windows directory 3 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4300"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3976"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.761923"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4076"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "11.109365"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132894048609216334"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

TiWorker.exeinnnvj.exe

description	pid	process
Token: SeSecurityPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeSecurityPrivilege	1796	TiWorker.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeSecurityPrivilege	1796	TiWorker.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeSecurityPrivilege	1796	TiWorker.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeSecurityPrivilege	1796	TiWorker.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeSecurityPrivilege	1796	TiWorker.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeSecurityPrivilege	1796	TiWorker.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeSecurityPrivilege	1796	TiWorker.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeSecurityPrivilege	1796	TiWorker.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeSecurityPrivilege	1796	TiWorker.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeSecurityPrivilege	1796	TiWorker.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeSecurityPrivilege	1796	TiWorker.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeSecurityPrivilege	1796	TiWorker.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeSecurityPrivilege	1796	TiWorker.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeSecurityPrivilege	1796	TiWorker.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeSecurityPrivilege	1796	TiWorker.exe
Token: SeIncBasePriorityPrivilege	3656	innnvj.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeSecurityPrivilege	1796	TiWorker.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeSecurityPrivilege	1796	TiWorker.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeSecurityPrivilege	1796	TiWorker.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeSecurityPrivilege	1796	TiWorker.exe
Token: SeBackupPrivilege	1796	TiWorker.exe
Token: SeRestorePrivilege	1796	TiWorker.exe
Token: SeSecurityPrivilege	1796	TiWorker.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72.exe

description	pid	process	target process
PID 3728 wrote to memory of 3656	3728	ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72.exe	innnvj.exe
PID 3728 wrote to memory of 3656	3728	ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72.exe	innnvj.exe
PID 3728 wrote to memory of 3656	3728	ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72.exe	innnvj.exe

C:\Users\Admin\AppData\Local\Temp\ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72.exe
"C:\Users\Admin\AppData\Local\Temp\ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Users\Admin\AppData\Local\Temp\innnvj.exe
  "C:\Users\Admin\AppData\Local\Temp\innnvj.exe" {be652f30-73f6-11ec-82c1-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\EA2C16~1.EXE"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:3656

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:1552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3832

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

MD5
56fcb7602d356ca1c2e7bc9f94e66724

SHA1
6c20da0ff228a720376a824129a35e9a5679a98f

SHA256
01a734ce83dba0a25b9aff72258e785b127b0a80303e7985bba477c0aa7524aa

SHA512
615310dfeff574648ff4a8476069d4fab7ad92316de40964c0a8918f0ade816f62ec2bf82366dd5084edd50bafd6a5af8b50caa351c12e4092a0390fb2647043

Download Submit
C:\Users\Admin\AppData\Local\Temp\innnvj.exe

MD5
a5444dd6ee8773915096c31bd882e247

SHA1
88265756945984ebd5fe58827c39ca1f1a2bf487

SHA256
ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72

SHA512
1d535287436a2b30895860ca5e06784bc6d1a3c35f513e890d44ce3a84bbdead3ff39882929cce1e5a62a186999e639bd8473da2384f1c8f5326c993a3fc2247

Download Submit
C:\Users\Admin\AppData\Local\Temp\innnvj.exe

MD5
a5444dd6ee8773915096c31bd882e247

SHA1
88265756945984ebd5fe58827c39ca1f1a2bf487

SHA256
ea2c169529e782994be5296c81ff4668dba2b77a805bd057b53e5952c65aaf72

SHA512
1d535287436a2b30895860ca5e06784bc6d1a3c35f513e890d44ce3a84bbdead3ff39882929cce1e5a62a186999e639bd8473da2384f1c8f5326c993a3fc2247

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads