mystic | 5e6329c4057eee1f3013f8b81d2ae3a295083dbf4706ced807a18beb5eb4891c

General

Target

f0c223a0f7a1c23a6ae1841202d16dce212051ac42777add4007b408db029df7.exe
Size

1.0MB
MD5

c950caba89c136b14c906d38f7705adc
SHA1

ba023ef7430cd3a188b4bcd56b41179124c49209
SHA256

f0c223a0f7a1c23a6ae1841202d16dce212051ac42777add4007b408db029df7
SHA512

7e0da561f46ecadf20246d1ef4c45fa04edbbbdaa48655245b2cb6bf7bd03c346698233564e678ade872aaba7802a4674539dd3070e35852ba4d492c47cf9ab6
SSDEEP

24576:sye5TtacpZF9mvLPTEXVXTLBpbibKhYqw5Kk:be7bF9lvXbiyYL5

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aa0909.exe	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4YS088JZ.exe	family_redline
behavioral1/memory/2804-48-0x0000000000E20000-0x0000000000E5E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 8 IoCs

Processes:

ru4Fp76.exevu1Pw44.exeiI4qE43.exeaW5jm05.exe1tr69Pa5.exe2aa0909.exe3aE78bV.exe4YS088JZ.exe

pid process

1916 ru4Fp76.exe
2432 vu1Pw44.exe
1600 iI4qE43.exe
3324 aW5jm05.exe
2352 1tr69Pa5.exe
4524 2aa0909.exe
4436 3aE78bV.exe
2804 4YS088JZ.exe

pid	process
1916	ru4Fp76.exe
2432	vu1Pw44.exe
1600	iI4qE43.exe
3324	aW5jm05.exe
2352	1tr69Pa5.exe
4524	2aa0909.exe
4436	3aE78bV.exe
2804	4YS088JZ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f0c223a0f7a1c23a6ae1841202d16dce212051ac42777add4007b408db029df7.exeru4Fp76.exevu1Pw44.exeiI4qE43.exeaW5jm05.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f0c223a0f7a1c23a6ae1841202d16dce212051ac42777add4007b408db029df7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ru4Fp76.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vu1Pw44.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	iI4qE43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	aW5jm05.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1tr69Pa5.exe3aE78bV.exe

description	pid	process	target process
PID 2352 set thread context of 3412	2352	1tr69Pa5.exe	AppLaunch.exe
PID 4436 set thread context of 1992	4436	3aE78bV.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exe

pid	process
1992	AppLaunch.exe
1992	AppLaunch.exe
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288
3288

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

AppLaunch.exe

pid process

1992 AppLaunch.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3288

pid	process
3288

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

f0c223a0f7a1c23a6ae1841202d16dce212051ac42777add4007b408db029df7.exeru4Fp76.exevu1Pw44.exeiI4qE43.exeaW5jm05.exe1tr69Pa5.exe3aE78bV.exe

description	pid	process	target process
PID 2232 wrote to memory of 1916	2232	f0c223a0f7a1c23a6ae1841202d16dce212051ac42777add4007b408db029df7.exe	ru4Fp76.exe
PID 2232 wrote to memory of 1916	2232	f0c223a0f7a1c23a6ae1841202d16dce212051ac42777add4007b408db029df7.exe	ru4Fp76.exe
PID 2232 wrote to memory of 1916	2232	f0c223a0f7a1c23a6ae1841202d16dce212051ac42777add4007b408db029df7.exe	ru4Fp76.exe
PID 1916 wrote to memory of 2432	1916	ru4Fp76.exe	vu1Pw44.exe
PID 1916 wrote to memory of 2432	1916	ru4Fp76.exe	vu1Pw44.exe
PID 1916 wrote to memory of 2432	1916	ru4Fp76.exe	vu1Pw44.exe
PID 2432 wrote to memory of 1600	2432	vu1Pw44.exe	iI4qE43.exe
PID 2432 wrote to memory of 1600	2432	vu1Pw44.exe	iI4qE43.exe
PID 2432 wrote to memory of 1600	2432	vu1Pw44.exe	iI4qE43.exe
PID 1600 wrote to memory of 3324	1600	iI4qE43.exe	aW5jm05.exe
PID 1600 wrote to memory of 3324	1600	iI4qE43.exe	aW5jm05.exe
PID 1600 wrote to memory of 3324	1600	iI4qE43.exe	aW5jm05.exe
PID 3324 wrote to memory of 2352	3324	aW5jm05.exe	1tr69Pa5.exe
PID 3324 wrote to memory of 2352	3324	aW5jm05.exe	1tr69Pa5.exe
PID 3324 wrote to memory of 2352	3324	aW5jm05.exe	1tr69Pa5.exe
PID 2352 wrote to memory of 3412	2352	1tr69Pa5.exe	AppLaunch.exe
PID 2352 wrote to memory of 3412	2352	1tr69Pa5.exe	AppLaunch.exe
PID 2352 wrote to memory of 3412	2352	1tr69Pa5.exe	AppLaunch.exe
PID 2352 wrote to memory of 3412	2352	1tr69Pa5.exe	AppLaunch.exe
PID 2352 wrote to memory of 3412	2352	1tr69Pa5.exe	AppLaunch.exe
PID 2352 wrote to memory of 3412	2352	1tr69Pa5.exe	AppLaunch.exe
PID 2352 wrote to memory of 3412	2352	1tr69Pa5.exe	AppLaunch.exe
PID 2352 wrote to memory of 3412	2352	1tr69Pa5.exe	AppLaunch.exe
PID 3324 wrote to memory of 4524	3324	aW5jm05.exe	2aa0909.exe
PID 3324 wrote to memory of 4524	3324	aW5jm05.exe	2aa0909.exe
PID 3324 wrote to memory of 4524	3324	aW5jm05.exe	2aa0909.exe
PID 1600 wrote to memory of 4436	1600	iI4qE43.exe	3aE78bV.exe
PID 1600 wrote to memory of 4436	1600	iI4qE43.exe	3aE78bV.exe
PID 1600 wrote to memory of 4436	1600	iI4qE43.exe	3aE78bV.exe
PID 4436 wrote to memory of 1992	4436	3aE78bV.exe	AppLaunch.exe
PID 4436 wrote to memory of 1992	4436	3aE78bV.exe	AppLaunch.exe
PID 4436 wrote to memory of 1992	4436	3aE78bV.exe	AppLaunch.exe
PID 4436 wrote to memory of 1992	4436	3aE78bV.exe	AppLaunch.exe
PID 4436 wrote to memory of 1992	4436	3aE78bV.exe	AppLaunch.exe
PID 4436 wrote to memory of 1992	4436	3aE78bV.exe	AppLaunch.exe
PID 2432 wrote to memory of 2804	2432	vu1Pw44.exe	4YS088JZ.exe
PID 2432 wrote to memory of 2804	2432	vu1Pw44.exe	4YS088JZ.exe
PID 2432 wrote to memory of 2804	2432	vu1Pw44.exe	4YS088JZ.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f0c223a0f7a1c23a6ae1841202d16dce212051ac42777add4007b408db029df7.exe
"C:\Users\Admin\AppData\Local\Temp\f0c223a0f7a1c23a6ae1841202d16dce212051ac42777add4007b408db029df7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ru4Fp76.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ru4Fp76.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vu1Pw44.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vu1Pw44.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iI4qE43.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iI4qE43.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1600
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aW5jm05.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aW5jm05.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3324
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tr69Pa5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tr69Pa5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:3412
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aa0909.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aa0909.exe
        6⤵
        Executes dropped EXE
        
        PID:4524
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3aE78bV.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3aE78bV.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4436
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1992
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4YS088JZ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4YS088JZ.exe
      4⤵
      Executes dropped EXE
      PID:2804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2432,i,12161922670941700748,3348345705955601576,262144 --variations-seed-version /prefetch:8
1⤵
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ru4Fp76.exe

Filesize
893KB

MD5
8de6822948e2dcf82d73d8a937c12961

SHA1
2926c445b5d0a8fa96d8e3af090620364a563aa4

SHA256
ca9e4158dfd191aff331201b3e4b786b29f88cdbc0d8d6a94406c2ccc3560f50

SHA512
54e865a988f4eb2ec82dd195da2f5c1fabe2b455a82a6d9ed4d2952e8f76d694f6b123ed694f241ae43c9bbab1dbeb19e1f1e07345546d7fa31783a4df08c639

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vu1Pw44.exe

Filesize
711KB

MD5
d46c2c8acaf99cb4abae6f9243921195

SHA1
72c222454f2a2d0d7f5ad87cd0ef409e34ceb0e1

SHA256
83643fb23808eba3e366b6c445aa63c15ab465e2f53ba054fe2cdf547a294252

SHA512
d39c970ef56fd6bab663a3a3ff78de8848fcc9c40337239a699c802f665f33536e0ad1d3b23ea166f66157d21d0c1184adfe270141ee76111c4b1a541e50479e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4YS088JZ.exe

Filesize
221KB

MD5
8905918bd7e4f4aeda3a804d81f9ee40

SHA1
3c488a81539116085a1c22df26085f798f7202c8

SHA256
0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde

SHA512
6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iI4qE43.exe

Filesize
537KB

MD5
b37239d1f67b4c86e8f2209f73177103

SHA1
bec7aad968168cf5d0b1a62000debc95ebb69c1c

SHA256
ed1496e016e7bf07416745277fbd0eec88440504909709cd6b27711af80a75b2

SHA512
eca5dde6fd1fe1f91515a16747a68f1ddd6981472a6815c6e5aa819bd082fecd5b3b09864cffed6b90a128befc4f4cd0e47b07b8c26bd52084dfd0d21140f52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3aE78bV.exe

Filesize
252KB

MD5
dc742ad7a18d51c67e388b6e19a61591

SHA1
64a81cd7222fe3760c2b8d602f28f857482570ad

SHA256
879bc1c5c10150b496a0da3683c1a6992e3314949690574f2d072704c251dc9c

SHA512
b97fc5a01efe1044eb57f7656bfa485ddb69b84e72828ae36a7dd124efab00def9ab580186a32067e7a162d84eda2b1b9521be57c5c5dd94adf6e7a1eeb394eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aW5jm05.exe

Filesize
300KB

MD5
9ccf5ab7eb38b6dc5bb5bdae10c0f2cf

SHA1
2cfe07c9205ec8d81033c79377894e99b411db72

SHA256
c30ee23b2223f79248a5e84386c97b65ced389053191964d5090c4546646a334

SHA512
72efaed3d841d37d13b5c3125640ed82b1d9238d6a6600951b901f17fae2ffbade53db53554ec08aa5ccb677b7b4b719fb793bb8770cf563b6049c37aedd6824

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tr69Pa5.exe

Filesize
154KB

MD5
098478afedb77e3ad162dcb60ba1079e

SHA1
aae5fd48aaf7d271c23130197dcfdd8791307d6f

SHA256
9ec13c3b726ec3ca9cf66364b6db9f252c3eaaf124b53d032564aec8e9ee8541

SHA512
145ab134ea391792a91c746b865ac48f2cafc8cec71664b6ca7b8cfc28fe508a953a095bb26f6a69d2066b8489ce02c7b0e82eae6ae5adc0e6b03435de86b14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aa0909.exe

Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
memory/1992-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1992-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1992-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2804-49-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/2804-55-0x0000000007F60000-0x000000000806A000-memory.dmp

Filesize
1.0MB

Download
memory/2804-50-0x00000000080E0000-0x0000000008684000-memory.dmp

Filesize
5.6MB

Download
memory/2804-51-0x0000000007BD0000-0x0000000007C62000-memory.dmp

Filesize
584KB

Download
memory/2804-52-0x0000000007D10000-0x0000000007D20000-memory.dmp

Filesize
64KB

Download
memory/2804-53-0x0000000007CA0000-0x0000000007CAA000-memory.dmp

Filesize
40KB

Download
memory/2804-54-0x0000000008CB0000-0x00000000092C8000-memory.dmp

Filesize
6.1MB

Download
memory/2804-48-0x0000000000E20000-0x0000000000E5E000-memory.dmp

Filesize
248KB

Download
memory/2804-56-0x0000000007E80000-0x0000000007E92000-memory.dmp

Filesize
72KB

Download
memory/2804-57-0x0000000007EE0000-0x0000000007F1C000-memory.dmp

Filesize
240KB

Download
memory/2804-58-0x0000000008070000-0x00000000080BC000-memory.dmp

Filesize
304KB

Download
memory/2804-67-0x0000000007D10000-0x0000000007D20000-memory.dmp

Filesize
64KB

Download
memory/2804-66-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/3288-59-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/3412-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads