e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df

General

Target

e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
Size

2.3MB
MD5

6004c0cdffdf116879d88f9898738228
SHA1

e8de63f3205bc5483308ab088eec331f56737502
SHA256

e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df
SHA512

ee26398eef63d0dc6bc91df741fd59febd0e187bb57123a606296dd5398e94bd0547658baa5b9802679468907e9433750bb57513b8bd9e66249f586b22d97381
SSDEEP

49152:LboFAXbWg7uiJlwxkJy9gN2hDzDfr02/eQYGpwt:Y7gqHhg

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdf = "C:\\Users\\Admin\\AppData\\Roaming\\pdf.exe"	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

2380 ipconfig.exe
2576 ipconfig.exe

pid	process
2380	ipconfig.exe
2576	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

powershell.exee5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe

pid	process
2780	powershell.exe
1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
Token: SeDebugPrivilege	2780	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.execmd.execmd.execmd.exe

C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
"C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
2⤵
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:2380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\
2⤵
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell set-mppreference -exclusionpath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
2⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
3⤵
- Gathers network information
PID:2576

C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
2⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
2⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
2⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
2⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
2⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
2⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
2⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
2⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
2⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
C:\Users\Admin\AppData\Local\Temp\e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
2⤵
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1748-6-0x0000000004800000-0x000000000484C000-memory.dmp

Filesize
304KB

Download
memory/1748-14-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/1748-2-0x0000000004290000-0x00000000042E8000-memory.dmp

Filesize
352KB

Download
memory/1748-3-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

Filesize
256KB

Download
memory/1748-4-0x0000000002060000-0x00000000020A0000-memory.dmp

Filesize
256KB

Download
memory/1748-5-0x00000000047C0000-0x0000000004800000-memory.dmp

Filesize
256KB

Download
memory/1748-1-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/1748-17-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/1748-0-0x0000000000290000-0x00000000004D4000-memory.dmp

Filesize
2.3MB

Download
memory/1748-15-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

Filesize
256KB

Download
memory/2780-10-0x000000006F120000-0x000000006F6CB000-memory.dmp

Filesize
5.7MB

Download
memory/2780-13-0x000000006F120000-0x000000006F6CB000-memory.dmp

Filesize
5.7MB

Download
memory/2780-12-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/2780-11-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/2780-9-0x000000006F120000-0x000000006F6CB000-memory.dmp

Filesize
5.7MB

Download

description	pid	process	target process
PID 1748 wrote to memory of 2892	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	cmd.exe
PID 1748 wrote to memory of 2892	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	cmd.exe
PID 1748 wrote to memory of 2892	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	cmd.exe
PID 1748 wrote to memory of 2892	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	cmd.exe
PID 2892 wrote to memory of 2380	2892	cmd.exe	ipconfig.exe
PID 2892 wrote to memory of 2380	2892	cmd.exe	ipconfig.exe
PID 2892 wrote to memory of 2380	2892	cmd.exe	ipconfig.exe
PID 2892 wrote to memory of 2380	2892	cmd.exe	ipconfig.exe
PID 1748 wrote to memory of 2720	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	cmd.exe
PID 1748 wrote to memory of 2720	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	cmd.exe
PID 1748 wrote to memory of 2720	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	cmd.exe
PID 1748 wrote to memory of 2720	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	cmd.exe
PID 2720 wrote to memory of 2780	2720	cmd.exe	powershell.exe
PID 2720 wrote to memory of 2780	2720	cmd.exe	powershell.exe
PID 2720 wrote to memory of 2780	2720	cmd.exe	powershell.exe
PID 2720 wrote to memory of 2780	2720	cmd.exe	powershell.exe
PID 1748 wrote to memory of 2744	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	cmd.exe
PID 1748 wrote to memory of 2744	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	cmd.exe
PID 1748 wrote to memory of 2744	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	cmd.exe
PID 1748 wrote to memory of 2744	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	cmd.exe
PID 2744 wrote to memory of 2576	2744	cmd.exe	ipconfig.exe
PID 2744 wrote to memory of 2576	2744	cmd.exe	ipconfig.exe
PID 2744 wrote to memory of 2576	2744	cmd.exe	ipconfig.exe
PID 2744 wrote to memory of 2576	2744	cmd.exe	ipconfig.exe
PID 1748 wrote to memory of 2588	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2588	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2588	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2588	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2588	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2588	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2588	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2596	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2596	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2596	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2596	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2596	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2596	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2596	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2640	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2640	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2640	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2640	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2640	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2640	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2640	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2648	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2648	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2648	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2648	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2648	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2648	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2648	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2468	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2468	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2468	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2468	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2468	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2468	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 2468	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 1012	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 1012	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 1012	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 1012	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe
PID 1748 wrote to memory of 1012	1748	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe	e5dddee3a42599e75396f0668e560aed886b995d0f4618c6d81207cd433e85df.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads