9a2bebd5496cc0040f2377110ad4ca3c74427790d937dbc34a671a19d6293ba0

Analysis

max time kernel
62s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 02:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

94ca78853c2b4a62bdf3127c0671e785.exe
Size

3.8MB
MD5

94ca78853c2b4a62bdf3127c0671e785
SHA1

14047148ddc9823bf23706470334a34b6d87db51
SHA256

9a2bebd5496cc0040f2377110ad4ca3c74427790d937dbc34a671a19d6293ba0
SHA512

1d489b7fd7eaa130c11e5aa1b03610151cafad7d820a2a16b2c682c99645b23c970a37aa0eb41126a8cd5b925a441a16635afed6a9791d2b4da3885465e8bd95
SSDEEP

98304:8b2NpH9N+V+tmCy2Tfffpeot2xMTRKN9TJv0024Lh/:8oA+YRwv8q2SoN95zVh/

Score

10^/10

bootkit discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "calc.exe"	Tropinks.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe

Disables Task Manager via registry modification
evasion

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 10 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe\Debugger = "notepad.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "notepad.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "notepad.exe"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe\Debugger = "notepad.exe"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "notepad.exe"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogonUI.exe	wscript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	94ca78853c2b4a62bdf3127c0671e785.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Tropinks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
1752	Tropinks.exe
3476	system2.exe
1412	system2.exe

Loads dropped DLL 1 IoCs

pid	Process
1752	Tropinks.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00090000000234fc-6.dat	upx
behavioral2/memory/1752-14-0x0000000000400000-0x0000000000697000-memory.dmp	upx
behavioral2/memory/1752-37-0x0000000000400000-0x0000000000697000-memory.dmp	upx
behavioral2/memory/1752-39-0x0000000000400000-0x0000000000697000-memory.dmp	upx
behavioral2/memory/1752-46-0x0000000000400000-0x0000000000697000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\system2.exe"	system2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\system2.exe"	system2.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	Tropinks.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	system2.exe
File opened for modification	\??\PhysicalDrive0	system2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tropinks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94ca78853c2b4a62bdf3127c0671e785.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4296	taskkill.exe
3136	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	Tropinks.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{A03D3F4E-6532-4F78-A7B5-EF71C5EF5C2A}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3284	schtasks.exe
5076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe
1752	Tropinks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1584	explorer.exe
Token: SeCreatePagefilePrivilege	1584	explorer.exe
Token: SeShutdownPrivilege	1584	explorer.exe
Token: SeCreatePagefilePrivilege	1584	explorer.exe
Token: SeDebugPrivilege	3136	taskkill.exe
Token: SeDebugPrivilege	4296	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1584	explorer.exe
1584	explorer.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1584	explorer.exe
1584	explorer.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 1752	2700	94ca78853c2b4a62bdf3127c0671e785.exe	84
PID 2700 wrote to memory of 1752	2700	94ca78853c2b4a62bdf3127c0671e785.exe	84
PID 2700 wrote to memory of 1752	2700	94ca78853c2b4a62bdf3127c0671e785.exe	84
PID 1752 wrote to memory of 3476	1752	Tropinks.exe	86
PID 1752 wrote to memory of 3476	1752	Tropinks.exe	86
PID 1752 wrote to memory of 3476	1752	Tropinks.exe	86
PID 1752 wrote to memory of 1412	1752	Tropinks.exe	87
PID 1752 wrote to memory of 1412	1752	Tropinks.exe	87
PID 1752 wrote to memory of 1412	1752	Tropinks.exe	87
PID 3476 wrote to memory of 3284	3476	system2.exe	88
PID 3476 wrote to memory of 3284	3476	system2.exe	88
PID 3476 wrote to memory of 3284	3476	system2.exe	88
PID 1412 wrote to memory of 5076	1412	system2.exe	89
PID 1412 wrote to memory of 5076	1412	system2.exe	89
PID 1412 wrote to memory of 5076	1412	system2.exe	89
PID 1752 wrote to memory of 3364	1752	Tropinks.exe	92
PID 1752 wrote to memory of 3364	1752	Tropinks.exe	92
PID 1752 wrote to memory of 3364	1752	Tropinks.exe	92
PID 3364 wrote to memory of 1740	3364	WScript.exe	93
PID 3364 wrote to memory of 1740	3364	WScript.exe	93
PID 3364 wrote to memory of 1740	3364	WScript.exe	93
PID 1752 wrote to memory of 2896	1752	Tropinks.exe	104
PID 1752 wrote to memory of 2896	1752	Tropinks.exe	104
PID 1752 wrote to memory of 2896	1752	Tropinks.exe	104
PID 2896 wrote to memory of 3136	2896	cmd.exe	106
PID 2896 wrote to memory of 3136	2896	cmd.exe	106
PID 2896 wrote to memory of 3136	2896	cmd.exe	106
PID 1752 wrote to memory of 1800	1752	Tropinks.exe	107
PID 1752 wrote to memory of 1800	1752	Tropinks.exe	107
PID 1752 wrote to memory of 1800	1752	Tropinks.exe	107
PID 1800 wrote to memory of 4296	1800	cmd.exe	109
PID 1800 wrote to memory of 4296	1800	cmd.exe	109
PID 1800 wrote to memory of 4296	1800	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\94ca78853c2b4a62bdf3127c0671e785.exe
"C:\Users\Admin\AppData\Local\Temp\94ca78853c2b4a62bdf3127c0671e785.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tropinks.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tropinks.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies WinLogon
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\system2.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\system2.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\RarSFX0\system2.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3284
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\system2.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\system2.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\RarSFX0\system2.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5076
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\HOOK.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3364
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\HOOK.vbs" /elevated
      4⤵
      Disables RegEdit via registry modification
      Event Triggered Execution: Image File Execution Options Injection
      System Location Discovery: System Language Discovery
      PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c "TASKKILL /F /IM cssrs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\taskkill.exe
      TASKKILL /F /IM cssrs.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c "TASKKILL /F /IM svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\SysWOW64\taskkill.exe
      TASKKILL /F /IM svchost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4296

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HOOK.vbs

Filesize
1KB

MD5
38cff57dd8ec9e274f253791ce84a176

SHA1
20d800c79ef03dbd2afddb63727c16a82386fe05

SHA256
c8cd30241004443adc2e06e04372a14690cea3a247bb6ae4b17c8fe73379856b

SHA512
72f53f59746e3e9e9df2195ce59a515791fa359165ec479a192a9afc4c4a409686df9a1a14800a6d73a1c5c62420f406b353135c04d72f230ee20b908e56189b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tropinks.exe

Filesize
7.7MB

MD5
efe22bad38d34ad934400d2d7c109d4f

SHA1
7d39e88170bea0a1a642b582b400dae762125cbf

SHA256
19ad984a348d6db749fbcc1cee14811c5651e4906130981599c19f715a892944

SHA512
b8f93efa1aa746f3faa077275dd80d6e7820f6b5c85a304b2c388e8bb0d4cfc0aa33c90888e4b1123d860d0bf25fc51bcf0e0b854e57811be5cbe91ebd9bd6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\system2.exe

Filesize
101KB

MD5
1600016f7c212be825ea6cad4bc442d5

SHA1
bf042c75cf82a145eb0039111b5f2d47bb310c7a

SHA256
5791e000c06c8d95d403a143c6a54087cfc1ef51380814a5f5d936a54234c2ee

SHA512
b52ccc6e6d1f8c08bf51b924f8b2f4451ffea7a8066b28acc871d762843674e8652023e5a9e0763833efbe64e23033278ea8db7d470a0e0c565b3db2cc257371

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbD85F.tmp

Filesize
1KB

MD5
214961be07c8ac2e75b06bbdf8d58f35

SHA1
d83e491069122026e76995dd8e7246756ee054d6

SHA256
3738a17c1e396e1da288ebb3994d5c79884d946a3f07af67073b309ada2045f7

SHA512
59d5e78190dd2e4ad9318003028d4f5214cbfd52825a83af2e7f412a81dd9ba68c15325b31b65e325f46482252cde0f19043ec685a3f6843899df43fffeb5caf

Download Submit
memory/1412-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1752-17-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/1752-22-0x0000000010000000-0x00000000106A5000-memory.dmp

Filesize
6.6MB

Download
memory/1752-27-0x0000000010000000-0x00000000106A5000-memory.dmp

Filesize
6.6MB

Download
memory/1752-14-0x0000000000400000-0x0000000000697000-memory.dmp

Filesize
2.6MB

Download
memory/1752-15-0x0000000077882000-0x0000000077883000-memory.dmp

Filesize
4KB

Download
memory/1752-16-0x0000000077883000-0x0000000077884000-memory.dmp

Filesize
4KB

Download
memory/1752-37-0x0000000000400000-0x0000000000697000-memory.dmp

Filesize
2.6MB

Download
memory/1752-38-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/1752-39-0x0000000000400000-0x0000000000697000-memory.dmp

Filesize
2.6MB

Download
memory/1752-41-0x0000000010000000-0x00000000106A5000-memory.dmp

Filesize
6.6MB

Download
memory/1752-46-0x0000000000400000-0x0000000000697000-memory.dmp

Filesize
2.6MB

Download
memory/3476-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads