gh0strat | 975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9

General

Target

975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe
Size

1.8MB
MD5

2ecaad895fd81f043b09fc3fe37bdf32
SHA1

7ba3c0b70adbb9671cc4a800bcc515cd2352d04b
SHA256

975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9
SHA512

f31cdf0b9b79b33f7348a13f78fc80e7741ea627b489d909f8dbd8f181edecad414214110f8e74e80559c6ac1eb4dcee67a861e0151d68d89dcb36b669b9537c
SSDEEP

24576:ZQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVoI4HArOZDIXwqglte:ZQZAdVyVT9n/Gg0P+WhogrOKwqAw

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/2076-11-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2076-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2076-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2812-27-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/3024-34-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/3024-37-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/3024-49-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2076-11-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2076-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2076-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
\Windows\SysWOW64\259436105.txt	family_gh0strat
behavioral1/memory/2812-27-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/3024-34-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/3024-37-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/3024-49-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchos.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259436105.txt"	svchos.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 7 IoCs

Processes:

svchost.exeTXPlatforn.exesvchos.exeTXPlatforn.exeHD_975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exe

pid	process
2076	svchost.exe
2812	TXPlatforn.exe
2776	svchos.exe
3024	TXPlatforn.exe
2500	HD_975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe
1200
2844	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Loads dropped DLL 8 IoCs

Processes:

975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exeTXPlatforn.exesvchos.exesvchost.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exe

pid	process
1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe
1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe
2812	TXPlatforn.exe
2776	svchos.exe
2632	svchost.exe
1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe
2632	svchost.exe
2844	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2076-11-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2076-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2076-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2076-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2812-27-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/3024-34-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/3024-37-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/3024-49-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

Processes:

svchost.exesvchost.exesvchos.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File created	C:\Windows\SysWOW64\259436105.txt	svchos.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	svchos.exe
File created	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe

Drops file in Program Files directory 4 IoCs

Processes:

975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2524 PING.EXE

pid	process
2524	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exeHD_975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe

pid	process
1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe
2500	HD_975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe
2500	HD_975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

3024 TXPlatforn.exe

pid	process
3024	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exeTXPlatforn.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2076	svchost.exe
Token: SeLoadDriverPrivilege	3024	TXPlatforn.exe
Token: 33	3024	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	3024	TXPlatforn.exe
Token: 33	3024	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	3024	TXPlatforn.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe

pid	process
1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe
1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exesvchost.exeTXPlatforn.execmd.exesvchost.exe

description	pid	process	target process
PID 1640 wrote to memory of 2076	1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe	svchost.exe
PID 1640 wrote to memory of 2076	1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe	svchost.exe
PID 1640 wrote to memory of 2076	1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe	svchost.exe
PID 1640 wrote to memory of 2076	1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe	svchost.exe
PID 1640 wrote to memory of 2076	1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe	svchost.exe
PID 1640 wrote to memory of 2076	1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe	svchost.exe
PID 1640 wrote to memory of 2076	1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe	svchost.exe
PID 2076 wrote to memory of 1388	2076	svchost.exe	cmd.exe
PID 2076 wrote to memory of 1388	2076	svchost.exe	cmd.exe
PID 2076 wrote to memory of 1388	2076	svchost.exe	cmd.exe
PID 2076 wrote to memory of 1388	2076	svchost.exe	cmd.exe
PID 1640 wrote to memory of 2776	1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe	svchos.exe
PID 1640 wrote to memory of 2776	1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe	svchos.exe
PID 1640 wrote to memory of 2776	1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe	svchos.exe
PID 1640 wrote to memory of 2776	1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe	svchos.exe
PID 2812 wrote to memory of 3024	2812	TXPlatforn.exe	TXPlatforn.exe
PID 2812 wrote to memory of 3024	2812	TXPlatforn.exe	TXPlatforn.exe
PID 2812 wrote to memory of 3024	2812	TXPlatforn.exe	TXPlatforn.exe
PID 2812 wrote to memory of 3024	2812	TXPlatforn.exe	TXPlatforn.exe
PID 2812 wrote to memory of 3024	2812	TXPlatforn.exe	TXPlatforn.exe
PID 2812 wrote to memory of 3024	2812	TXPlatforn.exe	TXPlatforn.exe
PID 2812 wrote to memory of 3024	2812	TXPlatforn.exe	TXPlatforn.exe
PID 1388 wrote to memory of 2524	1388	cmd.exe	PING.EXE
PID 1388 wrote to memory of 2524	1388	cmd.exe	PING.EXE
PID 1388 wrote to memory of 2524	1388	cmd.exe	PING.EXE
PID 1388 wrote to memory of 2524	1388	cmd.exe	PING.EXE
PID 1640 wrote to memory of 2500	1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe	HD_975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe
PID 1640 wrote to memory of 2500	1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe	HD_975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe
PID 1640 wrote to memory of 2500	1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe	HD_975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe
PID 1640 wrote to memory of 2500	1640	975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe	HD_975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe
PID 2632 wrote to memory of 2844	2632	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2632 wrote to memory of 2844	2632	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2632 wrote to memory of 2844	2632	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2632 wrote to memory of 2844	2632	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

C:\Users\Admin\AppData\Local\Temp\975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe
"C:\Users\Admin\AppData\Local\Temp\975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:2524

C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2776

C:\Users\Admin\AppData\Local\Temp\HD_975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe
C:\Users\Admin\AppData\Local\Temp\HD_975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2500

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:2592

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259436105.txt",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VideoLAN\VLC\vlc.exe
Filesize
2.2MB

MD5
40450e32dbeb6cf0dd9d1dada6d642dc

SHA1
94d0bbadedb827b6ef50fd04c3246f908b567c5b

SHA256
a182319b52700801102f48bfd08f6f8db7c102ccaf3242bff691a8e5124d4d93

SHA512
9fc77ec616ea907acda5cd551eef396058a8f0220ebe40e645ab511111cdde0c643b473b9bb8e15aa2479a219e63b806bf6722e49666960cc12d20f62b2bc705

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_975bd24f432ef6fb752135929172444d5f4602725d6a11d6ef04580212f4bbd9.exe
Filesize
551KB

MD5
b65ea506c7a0d4b311f2b9feb351bec8

SHA1
1877ab89f073585c35748e5c46d5f3b958e81a99

SHA256
8a0fbca6cbfd1d70779cf177423f02924354f4edc30f1ba8ab18d044b2a26173

SHA512
fd2f906d30dface15ccf9527ef20f0195bcde1ff6b1400ab59c3bc73e5963ca317045b2abca7158bc86215f1629033272e30839fe4edb6e5422bcc4f481e6d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
1.2MB

MD5
76fc2bbff11f94e47f0ecd70ecc2da6f

SHA1
1dd2806048b4eac4256bab3b3322508e3bb4c51a

SHA256
e0a583d4db7adc48236b1cbe70dac1ee631dff1c18e44ad178c3b84012176e90

SHA512
ac3700b6223d89cdcee6e597f290850732678192bfeb0d7d792a4fd5436f1232005dc8fe19822671534851daa506c6d4521e0a023a1cf4b2a2542f3d2139beaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchos.exe
Filesize
93KB

MD5
3b377ad877a942ec9f60ea285f7119a2

SHA1
60b23987b20d913982f723ab375eef50fafa6c70

SHA256
62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

SHA512
af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
377KB

MD5
a4329177954d4104005bce3020e5ef59

SHA1
23c29e295e2dbb8454012d619ca3f81e4c16e85a

SHA256
6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

SHA512
81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

Download Submit
\Windows\SysWOW64\259436105.txt
Filesize
50KB

MD5
cf51af2aa9f677ec8e2af91fd45bf937

SHA1
e45841385cfafc9791de516fd241f97be1b95442

SHA256
ef4f4749a99fbd7e7c08d4b80cd17cd81e0d5fb9b3894c5804d39c21c85fba20

SHA512
dfdc6bfbc4f3b48094e1bce7e59b080466e6a35bb8cc4403b56ab490566d1ffa7a2979d919ca15158f3f125edc3a2fc6bf792bdfc5ce53ed761a75cac2891721

Download Submit
\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/2076-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2076-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2076-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2076-11-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2812-27-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3024-34-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3024-37-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3024-49-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads