vkeylogger | ebbf3b5a2fea9d1313ec35ce127db7dd86a7b6c55c241fcf3d7e2f7b167a7100

General

Target

9394c417afa9c6615a4aa929b062f420.exe
Size

210KB
MD5

9394c417afa9c6615a4aa929b062f420
SHA1

b63ec408e1d573ad34b0acca7821db58b9c9135d
SHA256

ebbf3b5a2fea9d1313ec35ce127db7dd86a7b6c55c241fcf3d7e2f7b167a7100
SHA512

9129389dcda5b669e8e3e13424d2fe9fa851b4daa1dfb68e5da1e57591d88ff52e9c534716bc337ef9b838d73faa71af3763ff11e000788ec21effe7b883b76b

Score

10^/10

vkeylogger keylogger persistence stealer

Malware Config

Signatures

VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

VKeylogger Payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2620-135-0x00000000004A0000-0x00000000004D7000-memory.dmp	family_vkeylogger
behavioral2/memory/4352-136-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral2/memory/4352-137-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral2/memory/1596-138-0x0000000000660000-0x000000000066F000-memory.dmp	family_vkeylogger
behavioral2/memory/1476-140-0x00000000004A0000-0x00000000004D7000-memory.dmp	family_vkeylogger
behavioral2/memory/3476-143-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral2/memory/1364-144-0x0000000000690000-0x000000000069F000-memory.dmp	family_vkeylogger

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9394c417afa9c6615a4aa929b062f420.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

9394c417afa9c6615a4aa929b062f420.exe9394c417afa9c6615a4aa929b062f420.exe9394c417afa9c6615a4aa929b062f420.exe9394c417afa9c6615a4aa929b062f420.exe

description	pid	process	target process
PID 2620 set thread context of 4352	2620	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 4352 set thread context of 1596	4352	9394c417afa9c6615a4aa929b062f420.exe	explorer.exe
PID 1476 set thread context of 3476	1476	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 3476 set thread context of 1364	3476	9394c417afa9c6615a4aa929b062f420.exe	explorer.exe

Drops file in Windows directory 50 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\LZOCjtiHKk8=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BITD974.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\9+dL4Puh6FM8puPxsBEX86BMeGqpuC0b7gf2fD9DLLo=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\af66e12c1bb9d8519da21259d0fcd88c247cb4f1	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT19B5.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\o\egfDu3QHOC\BIT35D4.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BITF26D.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BIT2A.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\612ad442b8740f4c57b8c84e6bf465ba4699118c	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BITA7E.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\6e15245aed25ee83b027521f9cf9ea812c9d016d	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BIT2CF9.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\BIT8AF0.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BITD57A.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\f3535a3b47819a04c6d5ee18905493be086e801e	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BITB5A.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\BIT22EE.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\d9f2a302574bf135efc9dbd1a8083a336f7f52f0	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BIT343D.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\BIT5EFC.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BITD4FC.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\e1a85885fd4453165061351651289cce8f8590c4	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\BIT2767.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BIT3846.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\BIT2BED.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\Cmn5TH6S2lFFnfMN8MLr2EoNUIAGzQo2UUjHGMEC99A=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BITD7.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\F2WKV54ysEMEW9U+EfiUeJcNcgfNL4pMC5NmE0a3mAg=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT1A52.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\BIT2438.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\FTTOLXxEZk0li+ZNE2Uo=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\BIT2524.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\BIT2C9A.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT11C5.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\BIT23AB.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\o\egfDu3QHOC\BIT5E5E.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BITD925.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\fDFnweOZvFE=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\o\egfDu3QHOC\Xbfe7KpvVnvJHxQ2cRDBmUlnoMnpDY=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\BIT3886.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\o\egfDu3QHOC\BIT8978.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\a3f602ea4d534d006919a2613d91f9506b383314	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BITD607.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\5ondRmJ90JlkPETuN535TWk=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BITF191.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT982.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BITA10.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT1127.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\BIT2804.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\2cd32031792245e69c7777193005916861cbbe94	svchost.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

9394c417afa9c6615a4aa929b062f420.exe9394c417afa9c6615a4aa929b062f420.exe

pid	process
2620	9394c417afa9c6615a4aa929b062f420.exe
2620	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe
1476	9394c417afa9c6615a4aa929b062f420.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

9394c417afa9c6615a4aa929b062f420.exe9394c417afa9c6615a4aa929b062f420.exeexplorer.exe

pid process

4352 9394c417afa9c6615a4aa929b062f420.exe
3476 9394c417afa9c6615a4aa929b062f420.exe
1364 explorer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

explorer.exe

pid process

1364 explorer.exe

pid	process
4352	9394c417afa9c6615a4aa929b062f420.exe
3476	9394c417afa9c6615a4aa929b062f420.exe
1364	explorer.exe

pid	process
1364	explorer.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

9394c417afa9c6615a4aa929b062f420.exe9394c417afa9c6615a4aa929b062f420.exe9394c417afa9c6615a4aa929b062f420.exe9394c417afa9c6615a4aa929b062f420.exe

C:\Users\Admin\AppData\Local\Temp\9394c417afa9c6615a4aa929b062f420.exe
"C:\Users\Admin\AppData\Local\Temp\9394c417afa9c6615a4aa929b062f420.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Admin\AppData\Local\Temp\9394c417afa9c6615a4aa929b062f420.exe
"C:\Users\Admin\AppData\Local\Temp\9394c417afa9c6615a4aa929b062f420.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\9394c417afa9c6615a4aa929b062f420.exe
"C:\Users\Admin\AppData\Local\Temp\9394c417afa9c6615a4aa929b062f420.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\Local\Temp\9394c417afa9c6615a4aa929b062f420.exe
"C:\Users\Admin\AppData\Local\Temp\9394c417afa9c6615a4aa929b062f420.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
4⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
PID:1364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Drops file in Windows directory
PID:1260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1260-148-0x00000217A7320000-0x00000217A7324000-memory.dmp

Filesize
16KB

Download
memory/1260-153-0x00000217A7690000-0x00000217A7694000-memory.dmp

Filesize
16KB

Download
memory/1260-152-0x00000217A76C0000-0x00000217A76C4000-memory.dmp

Filesize
16KB

Download
memory/1260-151-0x00000217A7670000-0x00000217A7674000-memory.dmp

Filesize
16KB

Download
memory/1260-150-0x00000217A7670000-0x00000217A7674000-memory.dmp

Filesize
16KB

Download
memory/1260-147-0x00000217A6CE0000-0x00000217A6CE4000-memory.dmp

Filesize
16KB

Download
memory/1260-145-0x00000217A3D60000-0x00000217A3D70000-memory.dmp

Filesize
64KB

Download
memory/1260-146-0x00000217A4920000-0x00000217A4930000-memory.dmp

Filesize
64KB

Download
memory/1260-149-0x00000217A7320000-0x00000217A7324000-memory.dmp

Filesize
16KB

Download
memory/1364-144-0x0000000000690000-0x000000000069F000-memory.dmp

Filesize
60KB

Download
memory/1476-141-0x00000000774C0000-0x0000000077663000-memory.dmp

Filesize
1.6MB

Download
memory/1476-140-0x00000000004A0000-0x00000000004D7000-memory.dmp

Filesize
220KB

Download
memory/1476-139-0x00000000774C0000-0x0000000077663000-memory.dmp

Filesize
1.6MB

Download
memory/1596-138-0x0000000000660000-0x000000000066F000-memory.dmp

Filesize
60KB

Download
memory/2620-134-0x00000000774C0000-0x0000000077663000-memory.dmp

Filesize
1.6MB

Download
memory/2620-135-0x00000000004A0000-0x00000000004D7000-memory.dmp

Filesize
220KB

Download
memory/3476-143-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4352-137-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4352-136-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

description	pid	process	target process
PID 2620 wrote to memory of 4352	2620	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 2620 wrote to memory of 4352	2620	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 2620 wrote to memory of 4352	2620	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 2620 wrote to memory of 4352	2620	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 2620 wrote to memory of 4352	2620	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 2620 wrote to memory of 4352	2620	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 2620 wrote to memory of 4352	2620	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 2620 wrote to memory of 4352	2620	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 2620 wrote to memory of 4352	2620	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 2620 wrote to memory of 4352	2620	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 4352 wrote to memory of 1596	4352	9394c417afa9c6615a4aa929b062f420.exe	explorer.exe
PID 4352 wrote to memory of 1596	4352	9394c417afa9c6615a4aa929b062f420.exe	explorer.exe
PID 4352 wrote to memory of 1596	4352	9394c417afa9c6615a4aa929b062f420.exe	explorer.exe
PID 2620 wrote to memory of 1476	2620	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 2620 wrote to memory of 1476	2620	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 2620 wrote to memory of 1476	2620	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 1476 wrote to memory of 3476	1476	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 1476 wrote to memory of 3476	1476	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 1476 wrote to memory of 3476	1476	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 1476 wrote to memory of 3476	1476	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 1476 wrote to memory of 3476	1476	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 1476 wrote to memory of 3476	1476	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 1476 wrote to memory of 3476	1476	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 1476 wrote to memory of 3476	1476	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 1476 wrote to memory of 3476	1476	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 1476 wrote to memory of 3476	1476	9394c417afa9c6615a4aa929b062f420.exe	9394c417afa9c6615a4aa929b062f420.exe
PID 3476 wrote to memory of 1364	3476	9394c417afa9c6615a4aa929b062f420.exe	explorer.exe
PID 3476 wrote to memory of 1364	3476	9394c417afa9c6615a4aa929b062f420.exe	explorer.exe
PID 3476 wrote to memory of 1364	3476	9394c417afa9c6615a4aa929b062f420.exe	explorer.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads