r77 | f2c407fd5807bfef519782f4a1ddb692e517253458038af8cb95afa1c9d12867

General

Target

983feeba8559708cdf24ccfe95e6b500N.exe
Size

1.4MB
MD5

983feeba8559708cdf24ccfe95e6b500
SHA1

0284cd93330c39a56517c0524b58f99bae212e05
SHA256

f2c407fd5807bfef519782f4a1ddb692e517253458038af8cb95afa1c9d12867
SHA512

f69524363cd51da69ca2cc46f83b8cfb743aa3db1eff0041a0e3106ac2a1f40e7886a21813bb23f45fef46777c490dacfc20cce76ca6b76738786785045884a1
SSDEEP

24576:cFOa8YUyYp231mT6lq7UM4nM2dNR0iTgk22FyDbJ7wDS+eUZ:smwmTSWUMIM2p0iTgkf4V7rUZ

Score

10^/10

r77 discovery evasion persistence rootkit

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

r77
r77 is an open-source, userland rootkit.
rootkit r77

r77 rootkit payload 1 IoCs

Detects the payload of the r77 rootkit.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\983feeba8559708cdf24ccfe95e6b500n.exe	r77_payload

Executes dropped EXE 6 IoCs

Processes:

983feeba8559708cdf24ccfe95e6b500n.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2296 983feeba8559708cdf24ccfe95e6b500n.exe
2572 icsys.icn.exe
2660 explorer.exe
2532 spoolsv.exe
2540 svchost.exe
1324 spoolsv.exe

pid	process
2296	983feeba8559708cdf24ccfe95e6b500n.exe
2572	icsys.icn.exe
2660	explorer.exe
2532	spoolsv.exe
2540	svchost.exe
1324	spoolsv.exe

Loads dropped DLL 8 IoCs

Processes:

983feeba8559708cdf24ccfe95e6b500N.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid	process
2512	983feeba8559708cdf24ccfe95e6b500N.exe
2512	983feeba8559708cdf24ccfe95e6b500N.exe
2572	icsys.icn.exe
2660	explorer.exe
2532	spoolsv.exe
2540	svchost.exe
1196
1196

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 5 IoCs

Processes:

spoolsv.exeexplorer.exe983feeba8559708cdf24ccfe95e6b500N.exeicsys.icn.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	983feeba8559708cdf24ccfe95e6b500N.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

schtasks.exe983feeba8559708cdf24ccfe95e6b500N.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	983feeba8559708cdf24ccfe95e6b500N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2756 schtasks.exe
2312 schtasks.exe

pid	process
2756	schtasks.exe
2312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

983feeba8559708cdf24ccfe95e6b500N.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
2512	983feeba8559708cdf24ccfe95e6b500N.exe
2512	983feeba8559708cdf24ccfe95e6b500N.exe
2512	983feeba8559708cdf24ccfe95e6b500N.exe
2512	983feeba8559708cdf24ccfe95e6b500N.exe
2512	983feeba8559708cdf24ccfe95e6b500N.exe
2512	983feeba8559708cdf24ccfe95e6b500N.exe
2512	983feeba8559708cdf24ccfe95e6b500N.exe
2512	983feeba8559708cdf24ccfe95e6b500N.exe
2512	983feeba8559708cdf24ccfe95e6b500N.exe
2512	983feeba8559708cdf24ccfe95e6b500N.exe
2512	983feeba8559708cdf24ccfe95e6b500N.exe
2512	983feeba8559708cdf24ccfe95e6b500N.exe
2512	983feeba8559708cdf24ccfe95e6b500N.exe
2512	983feeba8559708cdf24ccfe95e6b500N.exe
2512	983feeba8559708cdf24ccfe95e6b500N.exe
2512	983feeba8559708cdf24ccfe95e6b500N.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2660	explorer.exe
2540	svchost.exe
2540	svchost.exe
2540	svchost.exe
2540	svchost.exe
2540	svchost.exe
2540	svchost.exe
2540	svchost.exe
2540	svchost.exe
2540	svchost.exe
2540	svchost.exe
2540	svchost.exe
2540	svchost.exe
2540	svchost.exe
2540	svchost.exe
2540	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2660 explorer.exe
2540 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

983feeba8559708cdf24ccfe95e6b500n.exe

description pid process

Token: SeDebugPrivilege 2296 983feeba8559708cdf24ccfe95e6b500n.exe

pid	process
2660	explorer.exe
2540	svchost.exe

description	pid	process
Token: SeDebugPrivilege	2296	983feeba8559708cdf24ccfe95e6b500n.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

983feeba8559708cdf24ccfe95e6b500N.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2512	983feeba8559708cdf24ccfe95e6b500N.exe
2512	983feeba8559708cdf24ccfe95e6b500N.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2660	explorer.exe
2660	explorer.exe
2532	spoolsv.exe
2532	spoolsv.exe
2540	svchost.exe
2540	svchost.exe
1324	spoolsv.exe
1324	spoolsv.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

983feeba8559708cdf24ccfe95e6b500N.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2512 wrote to memory of 2296	2512	983feeba8559708cdf24ccfe95e6b500N.exe	983feeba8559708cdf24ccfe95e6b500n.exe
PID 2512 wrote to memory of 2296	2512	983feeba8559708cdf24ccfe95e6b500N.exe	983feeba8559708cdf24ccfe95e6b500n.exe
PID 2512 wrote to memory of 2296	2512	983feeba8559708cdf24ccfe95e6b500N.exe	983feeba8559708cdf24ccfe95e6b500n.exe
PID 2512 wrote to memory of 2296	2512	983feeba8559708cdf24ccfe95e6b500N.exe	983feeba8559708cdf24ccfe95e6b500n.exe
PID 2512 wrote to memory of 2572	2512	983feeba8559708cdf24ccfe95e6b500N.exe	icsys.icn.exe
PID 2512 wrote to memory of 2572	2512	983feeba8559708cdf24ccfe95e6b500N.exe	icsys.icn.exe
PID 2512 wrote to memory of 2572	2512	983feeba8559708cdf24ccfe95e6b500N.exe	icsys.icn.exe
PID 2512 wrote to memory of 2572	2512	983feeba8559708cdf24ccfe95e6b500N.exe	icsys.icn.exe
PID 2572 wrote to memory of 2660	2572	icsys.icn.exe	explorer.exe
PID 2572 wrote to memory of 2660	2572	icsys.icn.exe	explorer.exe
PID 2572 wrote to memory of 2660	2572	icsys.icn.exe	explorer.exe
PID 2572 wrote to memory of 2660	2572	icsys.icn.exe	explorer.exe
PID 2660 wrote to memory of 2532	2660	explorer.exe	spoolsv.exe
PID 2660 wrote to memory of 2532	2660	explorer.exe	spoolsv.exe
PID 2660 wrote to memory of 2532	2660	explorer.exe	spoolsv.exe
PID 2660 wrote to memory of 2532	2660	explorer.exe	spoolsv.exe
PID 2532 wrote to memory of 2540	2532	spoolsv.exe	svchost.exe
PID 2532 wrote to memory of 2540	2532	spoolsv.exe	svchost.exe
PID 2532 wrote to memory of 2540	2532	spoolsv.exe	svchost.exe
PID 2532 wrote to memory of 2540	2532	spoolsv.exe	svchost.exe
PID 2540 wrote to memory of 1324	2540	svchost.exe	spoolsv.exe
PID 2540 wrote to memory of 1324	2540	svchost.exe	spoolsv.exe
PID 2540 wrote to memory of 1324	2540	svchost.exe	spoolsv.exe
PID 2540 wrote to memory of 1324	2540	svchost.exe	spoolsv.exe
PID 2660 wrote to memory of 2608	2660	explorer.exe	Explorer.exe
PID 2660 wrote to memory of 2608	2660	explorer.exe	Explorer.exe
PID 2660 wrote to memory of 2608	2660	explorer.exe	Explorer.exe
PID 2660 wrote to memory of 2608	2660	explorer.exe	Explorer.exe
PID 2540 wrote to memory of 2756	2540	svchost.exe	schtasks.exe
PID 2540 wrote to memory of 2756	2540	svchost.exe	schtasks.exe
PID 2540 wrote to memory of 2756	2540	svchost.exe	schtasks.exe
PID 2540 wrote to memory of 2756	2540	svchost.exe	schtasks.exe
PID 2540 wrote to memory of 2312	2540	svchost.exe	schtasks.exe
PID 2540 wrote to memory of 2312	2540	svchost.exe	schtasks.exe
PID 2540 wrote to memory of 2312	2540	svchost.exe	schtasks.exe
PID 2540 wrote to memory of 2312	2540	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\983feeba8559708cdf24ccfe95e6b500N.exe
"C:\Users\Admin\AppData\Local\Temp\983feeba8559708cdf24ccfe95e6b500N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512
- \??\c:\users\admin\appdata\local\temp\983feeba8559708cdf24ccfe95e6b500n.exe
  c:\users\admin\appdata\local\temp\983feeba8559708cdf24ccfe95e6b500n.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2572
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2532
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1324
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:00 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2756
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:01 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2312
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\resources\themes\icsys.icn.exe

Filesize
135KB

MD5
eb26863ba35c122485365deb42a871d7

SHA1
a60c83d2744059df05d8706c55a10e09861357ce

SHA256
8df9bfbe2e8c53f196fdb0d9a43d117a54a89a6d3dffb41140973fe78e8b8bee

SHA512
c872c1bde7408cfe2f8e3f80a173a1d0a74fbb1a2de81d889b354fc7f06cb129d92a0087c415e94f1621324f2d5795a15adfcc02e1244200e0dd5d20aba7781d

Download Submit
\Users\Admin\AppData\Local\Temp\983feeba8559708cdf24ccfe95e6b500n.exe

Filesize
1.3MB

MD5
2619a95b7823ba7d7061723fb24899ff

SHA1
a0f8509a84b80e740e9010f2caebdb366d765026

SHA256
2f7d0647c2643ebed6a9c84b7bf5f22e8daf38f53376428c82993a2438abe4ec

SHA512
83c7f59860ea57379f6f114cfbc671f8a7d8d7495ab0c74d6cf0b73b4449c213305d19a9f6a68090774511254f1e314038fcc0c1a4f14427c1b258b282396fb6

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
18412770e2afbffdccb35c05c5c274b1

SHA1
ad3357d08a36ddd14928b070d2d1ab581abae24c

SHA256
2f7bcad93e0e9cf4dc7f1cfb66b0ac261f21822085bcc2cc7d50d09918aa0a2b

SHA512
f2a578947d09fcd72b236f5491d6db73242f7eba0ad00d84ef7fbbbaa358c6cf3500695e15329bafc31cc9504e1fd1b4930e6c259bb86e7a4698074ec4869f0d

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
1c2da7710fb4a7aa5bed865f89191e0d

SHA1
f58ee8dc6334c25148bfda6491f6b374d8da5191

SHA256
8acf292cc838607425d65dc64df2e2e990f7fa9af5abf90e12ffa57361364dbc

SHA512
b164d0b1ffdcd86371d4fd1d9e898fcefc4613bc4a2f5206b60080bf4aaa42406daa3db54b93d89ac193bf2916b930739d95e847183f36765860a75751080d7e

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
e0f489c643e8ebd1fcf978cbf8dc6116

SHA1
1f347dbde59329b7ed587aafc6df992fa04ace73

SHA256
6c86e7c4069e2d133220f946be1b706a4fa6515955372b6e3d32e35ba39906dc

SHA512
2181bc49212e3775bbc4ceab4d7a449be87c67d005d299d348fe192663a90b4594c8a69adca81b077f5340af9fa13dfcb4657b272ce1b3e7219095fd11c1f947

Download Submit
memory/1324-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2296-72-0x000007FEF5B23000-0x000007FEF5B24000-memory.dmp

Filesize
4KB

Download
memory/2296-20-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2296-91-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2296-11-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2296-75-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2296-10-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/2296-55-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2296-74-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2296-73-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2296-9-0x000007FEF5B23000-0x000007FEF5B24000-memory.dmp

Filesize
4KB

Download
memory/2512-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2512-21-0x00000000005B0000-0x00000000005CF000-memory.dmp

Filesize
124KB

Download
memory/2512-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2532-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2540-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2540-58-0x00000000002C0000-0x00000000002DF000-memory.dmp

Filesize
124KB

Download
memory/2540-94-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2572-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2572-22-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2572-28-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/2660-39-0x0000000000370000-0x000000000038F000-memory.dmp

Filesize
124KB

Download
memory/2660-92-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2660-93-0x0000000000370000-0x000000000038F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads