Analysis
-
max time kernel
110s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14-04-2021 11:01
Static task
static1
Behavioral task
behavioral1
Sample
b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
Resource
win10v20210408
General
-
Target
b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
-
Size
169KB
-
MD5
98562209465bec53327e65649a2b8829
-
SHA1
3a47656ed3df213bd934aa01078a863568fe9f2b
-
SHA256
b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe
-
SHA512
c11ce14f9cb75df2bc9bd81971c1f8fa885815715f389eb8e796e0f657de59756b36a6f896c216a03c7be7bb3ddff9b8a47aee71146760e4f4d9c6bdc0ff2cc3
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3680 bcdedit.exe 2748 bcdedit.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exedescription ioc process File renamed C:\Users\Admin\Pictures\EnterExport.raw => C:\Users\Admin\Pictures\EnterExport.raw.59E81.thor b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe File renamed C:\Users\Admin\Pictures\ReadOptimize.raw => C:\Users\Admin\Pictures\ReadOptimize.raw.59E81.thor b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe File opened for modification C:\Users\Admin\Pictures\RequestAdd.tiff b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe File renamed C:\Users\Admin\Pictures\RequestAdd.tiff => C:\Users\Admin\Pictures\RequestAdd.tiff.59E81.thor b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe File opened for modification C:\Users\Admin\Pictures\StopUninstall.tiff b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe File renamed C:\Users\Admin\Pictures\StopUninstall.tiff => C:\Users\Admin\Pictures\StopUninstall.tiff.59E81.thor b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe File renamed C:\Users\Admin\Pictures\TraceSet.tif => C:\Users\Admin\Pictures\TraceSet.tif.59E81.thor b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe File renamed C:\Users\Admin\Pictures\UnregisterMerge.raw => C:\Users\Admin\Pictures\UnregisterMerge.raw.59E81.thor b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe -
Drops file in Program Files directory 1 IoCs
Processes:
b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Configuration\configuration.sqlite b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 204 vssadmin.exe -
Kills process with taskkill 13 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4180 taskkill.exe 4224 taskkill.exe 4292 taskkill.exe 4156 taskkill.exe 4204 taskkill.exe 4316 taskkill.exe 4340 taskkill.exe 4380 taskkill.exe 4368 taskkill.exe 4268 taskkill.exe 4164 taskkill.exe 4188 taskkill.exe 4280 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exepid process 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe -
Suspicious use of AdjustPrivilegeToken 58 IoCs
Processes:
WMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeIncreaseQuotaPrivilege 2940 WMIC.exe Token: SeSecurityPrivilege 2940 WMIC.exe Token: SeTakeOwnershipPrivilege 2940 WMIC.exe Token: SeLoadDriverPrivilege 2940 WMIC.exe Token: SeSystemProfilePrivilege 2940 WMIC.exe Token: SeSystemtimePrivilege 2940 WMIC.exe Token: SeProfSingleProcessPrivilege 2940 WMIC.exe Token: SeIncBasePriorityPrivilege 2940 WMIC.exe Token: SeCreatePagefilePrivilege 2940 WMIC.exe Token: SeBackupPrivilege 2940 WMIC.exe Token: SeRestorePrivilege 2940 WMIC.exe Token: SeShutdownPrivilege 2940 WMIC.exe Token: SeDebugPrivilege 2940 WMIC.exe Token: SeSystemEnvironmentPrivilege 2940 WMIC.exe Token: SeRemoteShutdownPrivilege 2940 WMIC.exe Token: SeUndockPrivilege 2940 WMIC.exe Token: SeManageVolumePrivilege 2940 WMIC.exe Token: 33 2940 WMIC.exe Token: 34 2940 WMIC.exe Token: 35 2940 WMIC.exe Token: 36 2940 WMIC.exe Token: SeBackupPrivilege 2596 vssvc.exe Token: SeRestorePrivilege 2596 vssvc.exe Token: SeAuditPrivilege 2596 vssvc.exe Token: SeIncreaseQuotaPrivilege 2940 WMIC.exe Token: SeSecurityPrivilege 2940 WMIC.exe Token: SeTakeOwnershipPrivilege 2940 WMIC.exe Token: SeLoadDriverPrivilege 2940 WMIC.exe Token: SeSystemProfilePrivilege 2940 WMIC.exe Token: SeSystemtimePrivilege 2940 WMIC.exe Token: SeProfSingleProcessPrivilege 2940 WMIC.exe Token: SeIncBasePriorityPrivilege 2940 WMIC.exe Token: SeCreatePagefilePrivilege 2940 WMIC.exe Token: SeBackupPrivilege 2940 WMIC.exe Token: SeRestorePrivilege 2940 WMIC.exe Token: SeShutdownPrivilege 2940 WMIC.exe Token: SeDebugPrivilege 2940 WMIC.exe Token: SeSystemEnvironmentPrivilege 2940 WMIC.exe Token: SeRemoteShutdownPrivilege 2940 WMIC.exe Token: SeUndockPrivilege 2940 WMIC.exe Token: SeManageVolumePrivilege 2940 WMIC.exe Token: 33 2940 WMIC.exe Token: 34 2940 WMIC.exe Token: 35 2940 WMIC.exe Token: 36 2940 WMIC.exe Token: SeDebugPrivilege 4180 taskkill.exe Token: SeDebugPrivilege 4268 taskkill.exe Token: SeDebugPrivilege 4156 taskkill.exe Token: SeDebugPrivilege 4224 taskkill.exe Token: SeDebugPrivilege 4188 taskkill.exe Token: SeDebugPrivilege 4280 taskkill.exe Token: SeDebugPrivilege 4340 taskkill.exe Token: SeDebugPrivilege 4380 taskkill.exe Token: SeDebugPrivilege 4368 taskkill.exe Token: SeDebugPrivilege 4164 taskkill.exe Token: SeDebugPrivilege 4204 taskkill.exe Token: SeDebugPrivilege 4292 taskkill.exe Token: SeDebugPrivilege 4316 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 640 wrote to memory of 3756 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 3756 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 3064 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 3064 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 3240 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 3240 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 3160 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 3160 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 4032 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 4032 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4032 wrote to memory of 1172 4032 cmd.exe netsh.exe PID 4032 wrote to memory of 1172 4032 cmd.exe netsh.exe PID 3756 wrote to memory of 204 3756 cmd.exe vssadmin.exe PID 3756 wrote to memory of 204 3756 cmd.exe vssadmin.exe PID 3240 wrote to memory of 2748 3240 cmd.exe bcdedit.exe PID 3240 wrote to memory of 2748 3240 cmd.exe bcdedit.exe PID 3064 wrote to memory of 2940 3064 cmd.exe WMIC.exe PID 3064 wrote to memory of 2940 3064 cmd.exe WMIC.exe PID 3160 wrote to memory of 3680 3160 cmd.exe bcdedit.exe PID 3160 wrote to memory of 3680 3160 cmd.exe bcdedit.exe PID 640 wrote to memory of 3716 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 3716 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 3716 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 260 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 260 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 260 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 276 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 276 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 276 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 184 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 184 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 184 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 3820 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 3820 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 3820 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 2120 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 2120 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 2120 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 2088 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 2088 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 2088 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 2280 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 2280 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 2280 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 2160 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 2160 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 2160 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 632 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 632 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 632 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 1140 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 1140 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 1140 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 884 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 884 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 884 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 3860 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 3860 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 640 wrote to memory of 3860 640 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3716 wrote to memory of 4156 3716 cmd.exe taskkill.exe PID 3820 wrote to memory of 4164 3820 cmd.exe taskkill.exe PID 3716 wrote to memory of 4156 3716 cmd.exe taskkill.exe PID 3820 wrote to memory of 4164 3820 cmd.exe taskkill.exe PID 3716 wrote to memory of 4156 3716 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe"C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c wmic shadowcopy delete /nointeractive2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c netsh advfirewall set allprofiles state off2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off3⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c bcdedit /set {current} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im note*2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im note*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im powerpnt*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im powerpnt*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im winword*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im Exchange*2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Exchange*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im tomcat*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tomcat*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im apache*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im apache*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im java*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im java*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im python*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im python*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im post*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im post*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im vee*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im vee*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im sql*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im excel*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mys*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mys*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1>nul & del /q C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe2⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/184-129-0x0000000000000000-mapping.dmp
-
memory/204-122-0x0000000000000000-mapping.dmp
-
memory/260-127-0x0000000000000000-mapping.dmp
-
memory/276-128-0x0000000000000000-mapping.dmp
-
memory/632-135-0x0000000000000000-mapping.dmp
-
memory/640-114-0x0000000010000000-0x000000001001C000-memory.dmpFilesize
112KB
-
memory/884-137-0x0000000000000000-mapping.dmp
-
memory/1140-136-0x0000000000000000-mapping.dmp
-
memory/1172-121-0x0000000000000000-mapping.dmp
-
memory/2088-132-0x0000000000000000-mapping.dmp
-
memory/2120-131-0x0000000000000000-mapping.dmp
-
memory/2160-134-0x0000000000000000-mapping.dmp
-
memory/2280-133-0x0000000000000000-mapping.dmp
-
memory/2748-123-0x0000000000000000-mapping.dmp
-
memory/2940-124-0x0000000000000000-mapping.dmp
-
memory/3064-117-0x0000000000000000-mapping.dmp
-
memory/3160-119-0x0000000000000000-mapping.dmp
-
memory/3240-118-0x0000000000000000-mapping.dmp
-
memory/3680-125-0x0000000000000000-mapping.dmp
-
memory/3716-126-0x0000000000000000-mapping.dmp
-
memory/3756-116-0x0000000000000000-mapping.dmp
-
memory/3820-130-0x0000000000000000-mapping.dmp
-
memory/3860-138-0x0000000000000000-mapping.dmp
-
memory/4032-120-0x0000000000000000-mapping.dmp
-
memory/4156-139-0x0000000000000000-mapping.dmp
-
memory/4164-140-0x0000000000000000-mapping.dmp
-
memory/4180-141-0x0000000000000000-mapping.dmp
-
memory/4188-142-0x0000000000000000-mapping.dmp
-
memory/4204-143-0x0000000000000000-mapping.dmp
-
memory/4224-144-0x0000000000000000-mapping.dmp
-
memory/4268-145-0x0000000000000000-mapping.dmp
-
memory/4280-146-0x0000000000000000-mapping.dmp
-
memory/4292-147-0x0000000000000000-mapping.dmp
-
memory/4316-148-0x0000000000000000-mapping.dmp
-
memory/4340-149-0x0000000000000000-mapping.dmp
-
memory/4368-150-0x0000000000000000-mapping.dmp
-
memory/4380-151-0x0000000000000000-mapping.dmp
-
memory/4860-152-0x0000000000000000-mapping.dmp
-
memory/4904-153-0x0000000000000000-mapping.dmp