gh0strat | 24363247ec1a5c97dc2aff3823a54d975a8e6e90fb951422f363de93032362b2

General

Target

2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe
Size

6.1MB
MD5

662169b8e34ef78bc64049c2a3777ec1
SHA1

cf45f8f658c95506bb67cf2114d540417a0065a2
SHA256

24363247ec1a5c97dc2aff3823a54d975a8e6e90fb951422f363de93032362b2
SHA512

7047f44af013c0dc4372f8f2701e754f2d134c1d9a2dcadcaeba9da266322018a2af9fa95822c7e698a512e9fb03238b7251e15db86bdb862832000018b1c548
SSDEEP

98304:qGdVyVT9nOgmh+5jMtzO12sS309zbfhJq6dPnRdm/5HivOC:ZWT9nO7cszxc9zbP9dPRdq8

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 10 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/3608-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3608-10-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3608-6-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2716-15-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2716-16-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2716-27-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1496-37-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1496-41-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1496-42-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2716-18-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 11 IoCs

resource	yara_rule
behavioral2/memory/3608-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3608-10-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3608-6-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2716-15-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2716-16-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/files/0x000700000002347f-23.dat	family_gh0strat
behavioral2/memory/2716-27-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1496-37-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1496-41-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1496-42-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2716-18-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240628265.txt"	svchos.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	HD_2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe

Executes dropped EXE 6 IoCs

pid	Process
3608	svchost.exe
2716	TXPlatforn.exe
4908	svchos.exe
1496	TXPlatforn.exe
3424	HD_2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe
1560	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Loads dropped DLL 3 IoCs

pid	Process
4908	svchos.exe
4860	svchost.exe
1560	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3608-4-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3608-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3608-10-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3608-6-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2716-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2716-16-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2716-27-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1496-37-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1496-41-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1496-42-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2716-13-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2716-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\240628265.txt	svchos.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	svchos.exe
File created	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatforn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2296	PING.EXE
3732	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8658416-7CCB-4c1d-A021-AFF0A2EB8004}	HD_2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2296	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
448	2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe
448	2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1496	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3608	svchost.exe
Token: SeLoadDriverPrivilege	1496	TXPlatforn.exe
Token: 33	1496	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	1496	TXPlatforn.exe
Token: 33	1496	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	1496	TXPlatforn.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
448	2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe
448	2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe
3424	HD_2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe
3424	HD_2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 3608	448	2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe	84
PID 448 wrote to memory of 3608	448	2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe	84
PID 448 wrote to memory of 3608	448	2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe	84
PID 3608 wrote to memory of 3732	3608	svchost.exe	86
PID 3608 wrote to memory of 3732	3608	svchost.exe	86
PID 3608 wrote to memory of 3732	3608	svchost.exe	86
PID 448 wrote to memory of 4908	448	2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe	87
PID 448 wrote to memory of 4908	448	2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe	87
PID 448 wrote to memory of 4908	448	2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe	87
PID 2716 wrote to memory of 1496	2716	TXPlatforn.exe	88
PID 2716 wrote to memory of 1496	2716	TXPlatforn.exe	88
PID 2716 wrote to memory of 1496	2716	TXPlatforn.exe	88
PID 3732 wrote to memory of 2296	3732	cmd.exe	93
PID 3732 wrote to memory of 2296	3732	cmd.exe	93
PID 3732 wrote to memory of 2296	3732	cmd.exe	93
PID 448 wrote to memory of 3424	448	2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe	95
PID 448 wrote to memory of 3424	448	2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe	95
PID 448 wrote to memory of 3424	448	2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe	95
PID 3424 wrote to memory of 4736	3424	HD_2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe	97
PID 3424 wrote to memory of 4736	3424	HD_2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe	97
PID 3424 wrote to memory of 4736	3424	HD_2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe	97
PID 4860 wrote to memory of 1560	4860	svchost.exe	102
PID 4860 wrote to memory of 1560	4860	svchost.exe	102
PID 4860 wrote to memory of 1560	4860	svchost.exe	102

C:\Users\Admin\AppData\Local\Temp\2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\\svchost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:3732
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2296
- C:\Users\Admin\AppData\Local\Temp\svchos.exe
  C:\Users\Admin\AppData\Local\Temp\\svchos.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4908
- C:\Users\Admin\AppData\Local\Temp\HD_2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe
  C:\Users\Admin\AppData\Local\Temp\HD_2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\PWRISOSH.DLL"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4736

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:1496

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:1772

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
  C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240628265.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$PowerISO$\BA57.tmp.ico

Filesize
2KB

MD5
4198afdeb9ace242c575ee572af22e1f

SHA1
32784594ec69ca459878010401c3931be8e5e15e

SHA256
b4d6704aabfcc8b7cb8f4ee58b162dd124e2d0e4dce20ecf13eebd262dd1e76e

SHA512
d4288466d9a669c7735dc788f81fd5581876048644c48a58df5e2f8c70d468464d9de2bcbd295cdfe8510fd77a9a3cc26e3de0a1cf985622fec00baefda7f4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_2024-08-14_662169b8e34ef78bc64049c2a3777ec1_icedid_nymaim.exe

Filesize
4.7MB

MD5
7954e9c46d7d4f114981c0aae9f80cc3

SHA1
7e4b1eefb655e1bcab74cc29abad29ea895767b8

SHA256
af16ceb92f1bfbbfbd24488cc2d0e40bf2842ff8035a9e73f39556f5ea3d6568

SHA512
32389ee9bba5610fba190dd44bdfd512eb3728002bb8bd400de11bae63663e0627021050100abc410b12c1285e9f88b9ec037e260a08df407335cff3e68a2489

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.4MB

MD5
fb57ff9837b952b06ef500c82eed4954

SHA1
1143a69dc9866571f83e43f9c17a60ce2969e33c

SHA256
51c88abb8eab10c47cb950dc67d566bb047bd49304343978c085012d34f7eda2

SHA512
d27e9e5cf24bd0d874a3a8eead0d0e33700040d1626bf6a9176c3d4dd9eabbc0985c41bde6cbb11dd7966d69c985f922d7ff4c96f278ae977ce278ed531187fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchos.exe

Filesize
93KB

MD5
3b377ad877a942ec9f60ea285f7119a2

SHA1
60b23987b20d913982f723ab375eef50fafa6c70

SHA256
62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

SHA512
af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
377KB

MD5
a4329177954d4104005bce3020e5ef59

SHA1
23c29e295e2dbb8454012d619ca3f81e4c16e85a

SHA256
6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

SHA512
81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

Download Submit
C:\Windows\SysWOW64\240628265.txt

Filesize
50KB

MD5
c530453998faf9ca8afb7674a1b75c3c

SHA1
b0c049a34526af02a1c3864e1ece374308479d4d

SHA256
65e5d3211aaaf76c4b4dab5a05b8f018c4b05ce5dac07e42990f99548cba4729

SHA512
b3426735933a57f3bf9f976c117081cdd1a46d00af4b6ddc415f2589c15848f68a6557612aa23ed719540824813071946ea3e2be57141a3b49a98ef04c1efb14

Download Submit
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/1496-42-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1496-37-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1496-41-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2716-16-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2716-27-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2716-15-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2716-13-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2716-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3608-6-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3608-10-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3608-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3608-4-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads