26742d280bd042e8013d09f191172a6df79a0fae23232f0e06b62e4995a61d49

Analysis

max time kernel
146s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

popcorn.exe
Size

1.2MB
MD5

1f532218ff27c9db1cc49a19083136e9
SHA1

f1d22ee845fd359b38b490efea78cc71f60ad296
SHA256

26742d280bd042e8013d09f191172a6df79a0fae23232f0e06b62e4995a61d49
SHA512

ea716d5d1830a9edce6527c5b06fb6f97234b8a4f98dafdddad81bd1a66949543137051e4c7487c5086d74a1aacf59c4dfef0d545803de1f318a599631aa64fa
SSDEEP

24576:RddFMz0ES5hL+PXRSXTBvP7LIeUfcv0SLqffJgJLjXh0gYUAwvEDbSL:Rdd6z0TDtIfcsSLmfoXYURL

Score

8^/10

evasion persistence privilege_escalation ransomware

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 9 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1748	netsh.exe
1620	netsh.exe
2844	netsh.exe
3916	netsh.exe
5088	netsh.exe
3984	netsh.exe
1180	netsh.exe
864	netsh.exe
4484	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	popcorn.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "/f"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 30 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
936	ipconfig.exe
1120	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4744	systeminfo.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2768	WMIC.exe
Token: SeSecurityPrivilege	2768	WMIC.exe
Token: SeTakeOwnershipPrivilege	2768	WMIC.exe
Token: SeLoadDriverPrivilege	2768	WMIC.exe
Token: SeSystemProfilePrivilege	2768	WMIC.exe
Token: SeSystemtimePrivilege	2768	WMIC.exe
Token: SeProfSingleProcessPrivilege	2768	WMIC.exe
Token: SeIncBasePriorityPrivilege	2768	WMIC.exe
Token: SeCreatePagefilePrivilege	2768	WMIC.exe
Token: SeBackupPrivilege	2768	WMIC.exe
Token: SeRestorePrivilege	2768	WMIC.exe
Token: SeShutdownPrivilege	2768	WMIC.exe
Token: SeDebugPrivilege	2768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2768	WMIC.exe
Token: SeRemoteShutdownPrivilege	2768	WMIC.exe
Token: SeUndockPrivilege	2768	WMIC.exe
Token: SeManageVolumePrivilege	2768	WMIC.exe
Token: 33	2768	WMIC.exe
Token: 34	2768	WMIC.exe
Token: 35	2768	WMIC.exe
Token: 36	2768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2768	WMIC.exe
Token: SeSecurityPrivilege	2768	WMIC.exe
Token: SeTakeOwnershipPrivilege	2768	WMIC.exe
Token: SeLoadDriverPrivilege	2768	WMIC.exe
Token: SeSystemProfilePrivilege	2768	WMIC.exe
Token: SeSystemtimePrivilege	2768	WMIC.exe
Token: SeProfSingleProcessPrivilege	2768	WMIC.exe
Token: SeIncBasePriorityPrivilege	2768	WMIC.exe
Token: SeCreatePagefilePrivilege	2768	WMIC.exe
Token: SeBackupPrivilege	2768	WMIC.exe
Token: SeRestorePrivilege	2768	WMIC.exe
Token: SeShutdownPrivilege	2768	WMIC.exe
Token: SeDebugPrivilege	2768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2768	WMIC.exe
Token: SeRemoteShutdownPrivilege	2768	WMIC.exe
Token: SeUndockPrivilege	2768	WMIC.exe
Token: SeManageVolumePrivilege	2768	WMIC.exe
Token: 33	2768	WMIC.exe
Token: 34	2768	WMIC.exe
Token: 35	2768	WMIC.exe
Token: 36	2768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	556	WMIC.exe
Token: SeSecurityPrivilege	556	WMIC.exe
Token: SeTakeOwnershipPrivilege	556	WMIC.exe
Token: SeLoadDriverPrivilege	556	WMIC.exe
Token: SeSystemProfilePrivilege	556	WMIC.exe
Token: SeSystemtimePrivilege	556	WMIC.exe
Token: SeProfSingleProcessPrivilege	556	WMIC.exe
Token: SeIncBasePriorityPrivilege	556	WMIC.exe
Token: SeCreatePagefilePrivilege	556	WMIC.exe
Token: SeBackupPrivilege	556	WMIC.exe
Token: SeRestorePrivilege	556	WMIC.exe
Token: SeShutdownPrivilege	556	WMIC.exe
Token: SeDebugPrivilege	556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	556	WMIC.exe
Token: SeRemoteShutdownPrivilege	556	WMIC.exe
Token: SeUndockPrivilege	556	WMIC.exe
Token: SeManageVolumePrivilege	556	WMIC.exe
Token: 33	556	WMIC.exe
Token: 34	556	WMIC.exe
Token: 35	556	WMIC.exe
Token: 36	556	WMIC.exe
Token: SeIncreaseQuotaPrivilege	556	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 1404	3484	popcorn.exe	91
PID 3484 wrote to memory of 1404	3484	popcorn.exe	91
PID 3484 wrote to memory of 1404	3484	popcorn.exe	91
PID 1404 wrote to memory of 1424	1404	cmd.exe	102
PID 1404 wrote to memory of 1424	1404	cmd.exe	102
PID 1404 wrote to memory of 1424	1404	cmd.exe	102
PID 1404 wrote to memory of 1132	1404	cmd.exe	103
PID 1404 wrote to memory of 1132	1404	cmd.exe	103
PID 1404 wrote to memory of 1132	1404	cmd.exe	103
PID 1404 wrote to memory of 936	1404	cmd.exe	105
PID 1404 wrote to memory of 936	1404	cmd.exe	105
PID 1404 wrote to memory of 936	1404	cmd.exe	105
PID 1404 wrote to memory of 1120	1404	cmd.exe	106
PID 1404 wrote to memory of 1120	1404	cmd.exe	106
PID 1404 wrote to memory of 1120	1404	cmd.exe	106
PID 1404 wrote to memory of 2784	1404	cmd.exe	107
PID 1404 wrote to memory of 2784	1404	cmd.exe	107
PID 1404 wrote to memory of 2784	1404	cmd.exe	107
PID 1404 wrote to memory of 2768	1404	cmd.exe	108
PID 1404 wrote to memory of 2768	1404	cmd.exe	108
PID 1404 wrote to memory of 2768	1404	cmd.exe	108
PID 1404 wrote to memory of 556	1404	cmd.exe	109
PID 1404 wrote to memory of 556	1404	cmd.exe	109
PID 1404 wrote to memory of 556	1404	cmd.exe	109
PID 1404 wrote to memory of 4744	1404	cmd.exe	110
PID 1404 wrote to memory of 4744	1404	cmd.exe	110
PID 1404 wrote to memory of 4744	1404	cmd.exe	110
PID 1404 wrote to memory of 5088	1404	cmd.exe	113
PID 1404 wrote to memory of 5088	1404	cmd.exe	113
PID 1404 wrote to memory of 5088	1404	cmd.exe	113
PID 1404 wrote to memory of 4484	1404	cmd.exe	114
PID 1404 wrote to memory of 4484	1404	cmd.exe	114
PID 1404 wrote to memory of 4484	1404	cmd.exe	114
PID 1404 wrote to memory of 1748	1404	cmd.exe	115
PID 1404 wrote to memory of 1748	1404	cmd.exe	115
PID 1404 wrote to memory of 1748	1404	cmd.exe	115
PID 1404 wrote to memory of 3984	1404	cmd.exe	116
PID 1404 wrote to memory of 3984	1404	cmd.exe	116
PID 1404 wrote to memory of 3984	1404	cmd.exe	116
PID 1404 wrote to memory of 1620	1404	cmd.exe	117
PID 1404 wrote to memory of 1620	1404	cmd.exe	117
PID 1404 wrote to memory of 1620	1404	cmd.exe	117
PID 1404 wrote to memory of 2844	1404	cmd.exe	118
PID 1404 wrote to memory of 2844	1404	cmd.exe	118
PID 1404 wrote to memory of 2844	1404	cmd.exe	118
PID 1404 wrote to memory of 1180	1404	cmd.exe	119
PID 1404 wrote to memory of 1180	1404	cmd.exe	119
PID 1404 wrote to memory of 1180	1404	cmd.exe	119
PID 1404 wrote to memory of 3916	1404	cmd.exe	120
PID 1404 wrote to memory of 3916	1404	cmd.exe	120
PID 1404 wrote to memory of 3916	1404	cmd.exe	120
PID 1404 wrote to memory of 864	1404	cmd.exe	121
PID 1404 wrote to memory of 864	1404	cmd.exe	121
PID 1404 wrote to memory of 864	1404	cmd.exe	121
PID 1404 wrote to memory of 2244	1404	cmd.exe	123
PID 1404 wrote to memory of 2244	1404	cmd.exe	123
PID 1404 wrote to memory of 2244	1404	cmd.exe	123
PID 1404 wrote to memory of 2152	1404	cmd.exe	124
PID 1404 wrote to memory of 2152	1404	cmd.exe	124
PID 1404 wrote to memory of 2152	1404	cmd.exe	124
PID 2152 wrote to memory of 2336	2152	cmd.exe	125
PID 2152 wrote to memory of 2336	2152	cmd.exe	125
PID 2152 wrote to memory of 2336	2152	cmd.exe	125
PID 1404 wrote to memory of 556	1404	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\popcorn.exe
"C:\Users\Admin\AppData\Local\Temp\popcorn.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS1170.tmp\popcorn.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1132
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:936
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:1120
- - C:\Windows\SysWOW64\find.exe
    find /i "IPv4"
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic diskdrive get size
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:556
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:4744
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port 1122 TCP" dir=in action=allow protocol=TCP localport=
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5088
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port 1122 UDP" dir=in action=allow protocol=UDP localport=
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4484
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1748
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=DISABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3984
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1620
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set domainprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2844
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set privateprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1180
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set publicprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3916
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:864
- - C:\Windows\SysWOW64\mode.com
    mode 1000
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\Desktop" /v Wallpaper
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Control Panel\Desktop" /v Wallpaper
      4⤵
      PID:2336
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:556
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe user32.dll, UpdatePerUserSystemParameters
    3⤵
    PID:1104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS1170.tmp\9K21JM10B.439a

Filesize
3KB

MD5
f546664c2aa4af4fb4cafe01f1ca25ff

SHA1
b6e0431770aa6aff89c2e8aa229ac518f102d0ff

SHA256
f2e2252497cf334448c0941327fe038ad42c152f30f0b16e0c1937888987c896

SHA512
539e6a7bf32446ff24383173efb4ab7efe8e04648d934fff20e07eb350eb89bfe64eb5c3fc8d4ced849d5ab3ef42b776540d316e1190ce47f9b3a20ac9640fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1170.tmp\AN.png

Filesize
750KB

MD5
bd767d7393fc891f04827e29c4965e22

SHA1
c2fb78e76c7c6e560a53ab32e8157382ce9bb1b4

SHA256
41311240c7dbf7718880577ca5961a924cc2257e604f47f9b189dc16dfb9ed09

SHA512
91fc7c447b6d425df25e666afa80dd6a51d5afcbbc9bb309b176ec56bc60f0af4f7063ed7adf65d044c8fa8f4148ca7ffd81cbcff6bc972b0b3e1ba61b5f9389

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1170.tmp\OIP__1_-removebg-preview.png

Filesize
96KB

MD5
192e86ff665955dd5c2055e441d483db

SHA1
ce610739104dc09943f5766c323ed72f3d3d243d

SHA256
8749f34c70444763ea089c5214ffa7a78df8781be129111ceab11f5241763aef

SHA512
842578bf6e733b6f1e5ccaf2a04f8abb4a937e617cfd862d0b924069cc1ff3bd8a2f3143265d3fb48555b0c400a371d5f6944ea6eed36d4c1d9b119564247f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1170.tmp\en.png

Filesize
199KB

MD5
b5f9f6595ec0b619595bae86b7eb7f1e

SHA1
5a2ca9aa9e74efeec819bb9d126c74d1ac5d4822

SHA256
fc69c6a23bcab6fd0789b3cfe302b37b4b740391fbca941a8f99e1542acaa692

SHA512
61a479cd17199db34e953654efd6637e6f5a919d0d1d48a440a460d15a8d8f6fae98698042e95735acfe585f52e6dc9b99377fcb11768cd32030aa77119916d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1170.tmp\popcorn.bat

Filesize
3KB

MD5
c9b9367cd8f0cf2e6d961c171854a3bc

SHA1
3e0401f5aea8542528da1ec32fb0b01091d99e7d

SHA256
30e2ff1f510fad33a21e8a90987f1f9362f22264a6b12f21357d8b6861772cce

SHA512
8029f1ab10d517e03ccfc3a9d8cdeca63326e414bf2419313d3e12a7575ffa2b979c8bc4a7853bd5cfa27f686c8a9d3412dda000702400be73b9752e67207e83

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads