purecrypter | b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f

General

Target

b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
Size

3.3MB
MD5

031e2e05add303f0e8adbca3be022151
SHA1

719acfd7047f5a2003ed1386b97ed5e2868d09d2
SHA256

b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f
SHA512

86b5466b716bddceb1b6ef482f1683f248e8120100d8e529178a21d4542337d3b4c9362bb4fbbf90c2759d8413f3e2ca2112a20e32dccd44bce07bb9c3388536
SSDEEP

49152:By408wwmrOYMMJNBzgz15u+djZSHc2E2Y8csb6Aged9XJUOHUr+RmE:ayoDz+15VzSHc2EJ8cc3xtoKU

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/980-55-0x0000000004A30000-0x0000000004D64000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sdbhybed = "\"C:\\Users\\Admin\\AppData\\Roaming\\Jqgnazw\\Sdbhybed.exe\""	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

powershell.exeb5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe

pid	process
1496	powershell.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
Token: SeDebugPrivilege	1496	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

960 AcroRd32.exe
960 AcroRd32.exe
960 AcroRd32.exe
960 AcroRd32.exe

pid	process
960	AcroRd32.exe
960	AcroRd32.exe
960	AcroRd32.exe
960	AcroRd32.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe

C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
"C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Ifdtktlacord_certificate_of_insurance.pdf"
2⤵
- Suspicious use of SetWindowsHookEx
PID:960

C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
2⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
2⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
2⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
2⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
2⤵
PID:288

C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
2⤵
PID:840

C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
2⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
2⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
2⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
2⤵
PID:1048

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ifdtktlacord_certificate_of_insurance.pdf
Filesize
102KB

MD5
261fa374ef694300b6bb6aa3d27ccb34

SHA1
cc931c06a52082b031d03ea8c517f69d3bdf0e13

SHA256
5921d7a39219dac7bb469d80c4d3932e457a5a17249155c389c1ef47d9d8e452

SHA512
807914c336c784668291b82a36e747b2945afd15e5bec77864f9aa61efbd3f65f63901e655cf43c1f84f15fed60422adc8c3f425d1dfdff4d6541fb8f9ec2001

Download Submit
memory/960-62-0x0000000000000000-mapping.dmp

Download
memory/960-66-0x0000000002C50000-0x0000000002CC6000-memory.dmp

Filesize
472KB

Download
memory/980-54-0x0000000000320000-0x0000000000666000-memory.dmp

Filesize
3.3MB

Download
memory/980-55-0x0000000004A30000-0x0000000004D64000-memory.dmp

Filesize
3.2MB

Download
memory/980-56-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/980-65-0x0000000005560000-0x000000000565E000-memory.dmp

Filesize
1016KB

Download
memory/1496-57-0x0000000000000000-mapping.dmp

Download
memory/1496-59-0x000000006F900000-0x000000006FEAB000-memory.dmp

Filesize
5.7MB

Download
memory/1496-60-0x000000006F900000-0x000000006FEAB000-memory.dmp

Filesize
5.7MB

Download
memory/1496-61-0x000000006F900000-0x000000006FEAB000-memory.dmp

Filesize
5.7MB

Download

description	pid	process	target process
PID 980 wrote to memory of 1496	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	powershell.exe
PID 980 wrote to memory of 1496	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	powershell.exe
PID 980 wrote to memory of 1496	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	powershell.exe
PID 980 wrote to memory of 1496	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	powershell.exe
PID 980 wrote to memory of 960	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	AcroRd32.exe
PID 980 wrote to memory of 960	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	AcroRd32.exe
PID 980 wrote to memory of 960	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	AcroRd32.exe
PID 980 wrote to memory of 960	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	AcroRd32.exe
PID 980 wrote to memory of 1412	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1412	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1412	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1412	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1880	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1880	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1880	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1880	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1204	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1204	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1204	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1204	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 436	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 436	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 436	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 436	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 288	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 288	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 288	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 288	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 840	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 840	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 840	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 840	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1696	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1696	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1696	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1696	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1456	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1456	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1456	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1456	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1980	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1980	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1980	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1980	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1048	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1048	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1048	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
PID 980 wrote to memory of 1048	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads