gh0strat | e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc

General

Target

e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe
Size

3.6MB
MD5

89f08f5810f9b93ad5940c5f02ca89c4
SHA1

cc0a64660f09322badcf1dcceaf56992719ab040
SHA256

e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc
SHA512

ad753d3c72b1b4a14e0cb0ceb70351823793bb5bc3b1757ee1c9c481fa75ed9e7d37c62b6feb0e024dd700dd059e363f622a203f41cca377701dc8ab0cda879a
SSDEEP

49152:zQZAdVyVT9n/Gg0P+Who8JkBg/NKf/9VfZj3FV+s8KuqGaX0ToIBAUZLYo:0GdVyVT9nOgmhx2S/NU9VfZcJBAUZL3

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 11 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/2156-10-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2156-11-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2156-12-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3412-24-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3412-23-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3412-22-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2156-26-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3412-30-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4556-35-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4556-40-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4556-43-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2156-10-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2156-11-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2156-12-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
C:\Windows\SysWOW64\240654093.txt	family_gh0strat
behavioral2/memory/3412-24-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3412-23-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3412-22-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2156-26-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3412-30-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4556-35-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4556-40-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4556-43-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 5 IoCs

Processes:

svchost.exesvchos.exeTXPlatforn.exeTXPlatforn.exeHD_e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe

pid	process
2156	svchost.exe
4456	svchos.exe
3412	TXPlatforn.exe
4556	TXPlatforn.exe
224	HD_e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe

Loads dropped DLL 1 IoCs

Processes:

svchos.exe

pid process

4456 svchos.exe

pid	process
4456	svchos.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2156-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2156-10-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2156-11-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2156-12-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3412-24-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3412-23-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3412-22-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3412-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2156-26-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3412-30-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4556-35-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4556-40-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4556-43-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

Processes:

svchost.exesvchos.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File created	C:\Windows\SysWOW64\240654093.txt	svchos.exe

Drops file in Program Files directory 5 IoCs

Processes:

e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
912	4456	WerFault.exe	svchos.exe
1384	224	WerFault.exe	HD_e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe
1112	4456	WerFault.exe	svchos.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4232 PING.EXE

pid	process
4232	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe

pid	process
4888	e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe
4888	e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

4556 TXPlatforn.exe

pid	process
4556	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exeTXPlatforn.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2156	svchost.exe
Token: SeLoadDriverPrivilege	4556	TXPlatforn.exe
Token: 33	4556	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	4556	TXPlatforn.exe
Token: 33	4556	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	4556	TXPlatforn.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exeHD_e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe

pid	process
4888	e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe
4888	e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe
224	HD_e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe
224	HD_e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exesvchost.execmd.exeTXPlatforn.exe

description	pid	process	target process
PID 4888 wrote to memory of 2156	4888	e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe	svchost.exe
PID 4888 wrote to memory of 2156	4888	e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe	svchost.exe
PID 4888 wrote to memory of 2156	4888	e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe	svchost.exe
PID 4888 wrote to memory of 4456	4888	e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe	svchos.exe
PID 4888 wrote to memory of 4456	4888	e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe	svchos.exe
PID 4888 wrote to memory of 4456	4888	e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe	svchos.exe
PID 2156 wrote to memory of 2324	2156	svchost.exe	cmd.exe
PID 2156 wrote to memory of 2324	2156	svchost.exe	cmd.exe
PID 2156 wrote to memory of 2324	2156	svchost.exe	cmd.exe
PID 2324 wrote to memory of 4232	2324	cmd.exe	PING.EXE
PID 2324 wrote to memory of 4232	2324	cmd.exe	PING.EXE
PID 2324 wrote to memory of 4232	2324	cmd.exe	PING.EXE
PID 3412 wrote to memory of 4556	3412	TXPlatforn.exe	TXPlatforn.exe
PID 3412 wrote to memory of 4556	3412	TXPlatforn.exe	TXPlatforn.exe
PID 3412 wrote to memory of 4556	3412	TXPlatforn.exe	TXPlatforn.exe
PID 4888 wrote to memory of 224	4888	e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe	HD_e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe
PID 4888 wrote to memory of 224	4888	e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe	HD_e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe
PID 4888 wrote to memory of 224	4888	e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe	HD_e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe

C:\Users\Admin\AppData\Local\Temp\e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe
"C:\Users\Admin\AppData\Local\Temp\e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:4232

C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 228
3⤵
- Program crash
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 396
3⤵
- Program crash
PID:1112

C:\Users\Admin\AppData\Local\Temp\HD_e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe
C:\Users\Admin\AppData\Local\Temp\HD_e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 676
3⤵
- Program crash
PID:1384

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4456 -ip 4456
1⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 224 -ip 224
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4456 -ip 4456
1⤵
PID:3368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4332 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.3MB

MD5
e3489f877a0dba66e0389a6af9116447

SHA1
e4fe2c903c4097f3fa0d297036b537ee58f4881d

SHA256
5b09b7a1f4b4c61cd6c57b6eda6c1aa839c430c08198a528927fc927c3d70ee2

SHA512
0790801b7740100298778fb973e958cf8157bd09b973ba5258a2e7ab75f94faf10c0f9deb99c2a88f92c477e767b5941079d26c5159a61436d3ff6cc4b2b9a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_e7ed2abdb90ccc8227c02c9a5675096e57edf5e9fbb4cff8f8f3c8936c1b34fc.exe

Filesize
2.3MB

MD5
02e06b50442678ed011f9b4654c273cd

SHA1
ed1e8c15722e54e62043bbfeda9249631a780168

SHA256
c296e557a3d3b36144598d99025e2f1e1870399149990fba04c9453f64a6b9e0

SHA512
9364600aa2cd09baf7779cce2f805c755bcd39d7474c7ea456ee7a8cb3771878bfdf3f060cb4460608502aa0736be1919ee325dde8da450a36e37d1265bf32c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXC61F.tmp

Filesize
1.2MB

MD5
407bf923e56befc25dde88da62df34d7

SHA1
a11763d0524d0f764dce9dc7be12480e8dd93d54

SHA256
ea12f2e36ecb8dd8b5c62138eaa9a5f624825ed70ef640a33bb18d012f0ef6d8

SHA512
b98bbe81c351d589e6e8cc80313ddac81b9daf34a8866149aee04c47aee5d5181e970641303418c4162fb4809ff8c4584844ac7f18ed89d6e78fed4fe3083510

Download Submit
C:\Users\Admin\AppData\Local\Temp\X.ico

Filesize
69KB

MD5
e33fb6d686b1a8b171349572c5a33f67

SHA1
29f24fe536adf799b69b63c83efadc1bce457a54

SHA256
020c8e0963f89f4b14538b7d69e83c6fec44a29bbbd52fbb6deb2be5c697f450

SHA512
cf1f1d6a9efe53f84e5b4a8246b87c0b96496716605d1b00352d9aae30e664d3d2cbadebf598b4e690a9feef0b5785887a4e643cc5f68938ca744af1d3539e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchos.exe

Filesize
93KB

MD5
3b377ad877a942ec9f60ea285f7119a2

SHA1
60b23987b20d913982f723ab375eef50fafa6c70

SHA256
62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

SHA512
af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
377KB

MD5
a4329177954d4104005bce3020e5ef59

SHA1
23c29e295e2dbb8454012d619ca3f81e4c16e85a

SHA256
6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

SHA512
81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

Download Submit
C:\Windows\SysWOW64\240654093.txt

Filesize
50KB

MD5
604b75f8a6c2bf5f301aa30d2b21132c

SHA1
18daa879c911c81eac85d227aaf3f57cecf56843

SHA256
58dbb25531adad674d44d2b516be918f83d405a1060073d8fe1fea3261fb9136

SHA512
8f0eb58b88dc05ce43bec9924fb1fd374acd911f559900345e7f2b761fb7a580a7a57073634d4b4540532dddc2679fea8e2cbe77b51cf047d6bff695b32ee837

Download Submit
memory/2156-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2156-10-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2156-11-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2156-12-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2156-26-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3412-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3412-30-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3412-22-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3412-23-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3412-24-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4556-35-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4556-40-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4556-43-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads