redline | 36b7419eb850d06e31f8323dfbd6460240d09ec99e34fb5280279d9dc297d1ba

Analysis

max time kernel
150s
max time network
194s
platform
windows7_x64
resource
win7v20210408
submitted
22-06-2021 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8d8fc71f6f9802c725fd8930b0964d1.exe
Size

3.3MB
MD5

a8d8fc71f6f9802c725fd8930b0964d1
SHA1

f4f79dde85e23bf7a6e0708d665ef38ba0ac6568
SHA256

36b7419eb850d06e31f8323dfbd6460240d09ec99e34fb5280279d9dc297d1ba
SHA512

720bbb90a50e77ace5a409618fde663ac76e7db41ca6b55d27124edb9f87e9a85aa8e67cbda01c9dbb6a7a36cf0d8caa9f5f399441fc555f0b48212ed0cb1c83

Score

10^/10

redline vidar 22_6_r ani aspackv2 infostealer stealer themida

Malware Config

Extracted

Family

redline

Botnet

Ani

yaklalau.xyz:80

Extracted

Family

redline

Botnet

22_6_r

qitoshalan.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

resource	yara_rule
behavioral1/memory/1996-163-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2656-220-0x0000000000417F22-mapping.dmp	family_redline
behavioral1/memory/2656-219-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2656-222-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2416-243-0x0000000000417F1A-mapping.dmp	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

ASPack v2.12-2.42 14 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00030000000130c6-61.dat	aspack_v212_v242
behavioral1/files/0x00030000000130c6-62.dat	aspack_v212_v242
behavioral1/files/0x00030000000130c6-63.dat	aspack_v212_v242
behavioral1/files/0x00030000000130c6-65.dat	aspack_v212_v242
behavioral1/files/0x00030000000130c2-67.dat	aspack_v212_v242
behavioral1/files/0x00030000000130c2-66.dat	aspack_v212_v242
behavioral1/files/0x00030000000130c1-68.dat	aspack_v212_v242
behavioral1/files/0x00030000000130c1-69.dat	aspack_v212_v242
behavioral1/files/0x00030000000130c4-74.dat	aspack_v212_v242
behavioral1/files/0x00030000000130c4-75.dat	aspack_v212_v242
behavioral1/files/0x00030000000130c6-79.dat	aspack_v212_v242
behavioral1/files/0x00030000000130c6-78.dat	aspack_v212_v242
behavioral1/files/0x00030000000130c6-80.dat	aspack_v212_v242
behavioral1/files/0x00030000000130c6-77.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2020	setup_install.exe
1988	arnatic_3.exe
364	arnatic_1.exe

Loads dropped DLL 22 IoCs

pid	Process
1696	a8d8fc71f6f9802c725fd8930b0964d1.exe
1696	a8d8fc71f6f9802c725fd8930b0964d1.exe
1696	a8d8fc71f6f9802c725fd8930b0964d1.exe
2020	setup_install.exe
2020	setup_install.exe
2020	setup_install.exe
2020	setup_install.exe
2020	setup_install.exe
2020	setup_install.exe
2020	setup_install.exe
2020	setup_install.exe
568	cmd.exe
568	cmd.exe
1836	DllHost.exe
364	arnatic_1.exe
364	arnatic_1.exe
1988	arnatic_3.exe
1988	arnatic_3.exe
300	cmd.exe
956	cmd.exe
1312	cmd.exe
1312	cmd.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2288-215-0x0000000000320000-0x0000000000321000-memory.dmp	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
103	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2968	2580	WerFault.exe	67
2560	2176	WerFault.exe	79
1600	364	WerFault.exe	33

Kills process with taskkill 2 IoCs

evasion

pid	Process
2908	taskkill.exe
3056	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2020	1696	a8d8fc71f6f9802c725fd8930b0964d1.exe	27
PID 1696 wrote to memory of 2020	1696	a8d8fc71f6f9802c725fd8930b0964d1.exe	27
PID 1696 wrote to memory of 2020	1696	a8d8fc71f6f9802c725fd8930b0964d1.exe	27
PID 1696 wrote to memory of 2020	1696	a8d8fc71f6f9802c725fd8930b0964d1.exe	27
PID 1696 wrote to memory of 2020	1696	a8d8fc71f6f9802c725fd8930b0964d1.exe	27
PID 1696 wrote to memory of 2020	1696	a8d8fc71f6f9802c725fd8930b0964d1.exe	27
PID 1696 wrote to memory of 2020	1696	a8d8fc71f6f9802c725fd8930b0964d1.exe	27
PID 2020 wrote to memory of 568	2020	setup_install.exe	30
PID 2020 wrote to memory of 568	2020	setup_install.exe	30
PID 2020 wrote to memory of 568	2020	setup_install.exe	30
PID 2020 wrote to memory of 568	2020	setup_install.exe	30
PID 2020 wrote to memory of 568	2020	setup_install.exe	30
PID 2020 wrote to memory of 568	2020	setup_install.exe	30
PID 2020 wrote to memory of 568	2020	setup_install.exe	30
PID 2020 wrote to memory of 1424	2020	setup_install.exe	31
PID 2020 wrote to memory of 1424	2020	setup_install.exe	31
PID 2020 wrote to memory of 1424	2020	setup_install.exe	31
PID 2020 wrote to memory of 1424	2020	setup_install.exe	31
PID 2020 wrote to memory of 1424	2020	setup_install.exe	31
PID 2020 wrote to memory of 1424	2020	setup_install.exe	31
PID 2020 wrote to memory of 1424	2020	setup_install.exe	31
PID 2020 wrote to memory of 1836	2020	setup_install.exe	48
PID 2020 wrote to memory of 1836	2020	setup_install.exe	48
PID 2020 wrote to memory of 1836	2020	setup_install.exe	48
PID 2020 wrote to memory of 1836	2020	setup_install.exe	48
PID 2020 wrote to memory of 1836	2020	setup_install.exe	48
PID 2020 wrote to memory of 1836	2020	setup_install.exe	48
PID 2020 wrote to memory of 1836	2020	setup_install.exe	48
PID 2020 wrote to memory of 324	2020	setup_install.exe	47
PID 2020 wrote to memory of 324	2020	setup_install.exe	47
PID 2020 wrote to memory of 324	2020	setup_install.exe	47
PID 2020 wrote to memory of 324	2020	setup_install.exe	47
PID 2020 wrote to memory of 324	2020	setup_install.exe	47
PID 2020 wrote to memory of 324	2020	setup_install.exe	47
PID 2020 wrote to memory of 324	2020	setup_install.exe	47
PID 568 wrote to memory of 364	568	cmd.exe	33
PID 568 wrote to memory of 364	568	cmd.exe	33
PID 568 wrote to memory of 364	568	cmd.exe	33
PID 568 wrote to memory of 364	568	cmd.exe	33
PID 568 wrote to memory of 364	568	cmd.exe	33
PID 568 wrote to memory of 364	568	cmd.exe	33
PID 568 wrote to memory of 364	568	cmd.exe	33
PID 2020 wrote to memory of 300	2020	setup_install.exe	46
PID 2020 wrote to memory of 300	2020	setup_install.exe	46
PID 2020 wrote to memory of 300	2020	setup_install.exe	46
PID 2020 wrote to memory of 300	2020	setup_install.exe	46
PID 2020 wrote to memory of 300	2020	setup_install.exe	46
PID 2020 wrote to memory of 300	2020	setup_install.exe	46
PID 2020 wrote to memory of 300	2020	setup_install.exe	46
PID 1836 wrote to memory of 1988	1836	DllHost.exe	34
PID 1836 wrote to memory of 1988	1836	DllHost.exe	34
PID 1836 wrote to memory of 1988	1836	DllHost.exe	34
PID 1836 wrote to memory of 1988	1836	DllHost.exe	34
PID 1836 wrote to memory of 1988	1836	DllHost.exe	34
PID 1836 wrote to memory of 1988	1836	DllHost.exe	34
PID 1836 wrote to memory of 1988	1836	DllHost.exe	34
PID 2020 wrote to memory of 956	2020	setup_install.exe	44
PID 2020 wrote to memory of 956	2020	setup_install.exe	44
PID 2020 wrote to memory of 956	2020	setup_install.exe	44
PID 2020 wrote to memory of 956	2020	setup_install.exe	44
PID 2020 wrote to memory of 956	2020	setup_install.exe	44
PID 2020 wrote to memory of 956	2020	setup_install.exe	44
PID 2020 wrote to memory of 956	2020	setup_install.exe	44
PID 2020 wrote to memory of 1312	2020	setup_install.exe	43

C:\Users\Admin\AppData\Local\Temp\a8d8fc71f6f9802c725fd8930b0964d1.exe
"C:\Users\Admin\AppData\Local\Temp\a8d8fc71f6f9802c725fd8930b0964d1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\7zS0A6350F4\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS0A6350F4\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c arnatic_1.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\7zS0A6350F4\arnatic_1.exe
      arnatic_1.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:364
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 968
        5⤵
        Program crash
        
        PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c arnatic_2.exe
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c arnatic_3.exe
    3⤵
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\7zS0A6350F4\arnatic_3.exe
      arnatic_3.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1988
    - - C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
        5⤵
        
        PID:1452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c arnatic_8.exe
    3⤵
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c arnatic_7.exe
    3⤵
    - Loads dropped DLL
    PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c arnatic_6.exe
    3⤵
    - Loads dropped DLL
    PID:956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c arnatic_5.exe
    3⤵
    - Loads dropped DLL
    PID:300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c arnatic_4.exe
    3⤵
    PID:324

C:\Users\Admin\AppData\Local\Temp\7zS0A6350F4\arnatic_5.exe
arnatic_5.exe
1⤵
PID:900
- C:\Users\Admin\AppData\Roaming\1822378.exe
  "C:\Users\Admin\AppData\Roaming\1822378.exe"
  2⤵
  PID:2580
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2580 -s 524
    3⤵
    - Program crash
    PID:2968
- C:\Users\Admin\AppData\Roaming\3749735.exe
  "C:\Users\Admin\AppData\Roaming\3749735.exe"
  2⤵
  PID:2624
- C:\Users\Admin\AppData\Roaming\2361525.exe
  "C:\Users\Admin\AppData\Roaming\2361525.exe"
  2⤵
  PID:2664
- C:\Users\Admin\AppData\Roaming\6242654.exe
  "C:\Users\Admin\AppData\Roaming\6242654.exe"
  2⤵
  PID:2704

C:\Users\Admin\AppData\Local\Temp\7zS0A6350F4\arnatic_7.exe
arnatic_7.exe
1⤵
PID:680
- C:\Users\Admin\AppData\Local\Temp\7zS0A6350F4\arnatic_7.exe
  C:\Users\Admin\AppData\Local\Temp\7zS0A6350F4\arnatic_7.exe
  2⤵
  PID:1996

C:\Users\Admin\AppData\Local\Temp\7zS0A6350F4\arnatic_8.exe
arnatic_8.exe
1⤵
PID:784

C:\Users\Admin\AppData\Local\Temp\7zS0A6350F4\arnatic_6.exe
arnatic_6.exe
1⤵
PID:1388
- C:\Users\Admin\Documents\BvIPT99aEAIm2TxeQXe4jP9I.exe
  "C:\Users\Admin\Documents\BvIPT99aEAIm2TxeQXe4jP9I.exe"
  2⤵
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\03250045-7786-4d2a-aa42-00cc0538b4dc\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\03250045-7786-4d2a-aa42-00cc0538b4dc\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\03250045-7786-4d2a-aa42-00cc0538b4dc\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:3016
  - - C:\Users\Admin\AppData\Local\Temp\03250045-7786-4d2a-aa42-00cc0538b4dc\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\03250045-7786-4d2a-aa42-00cc0538b4dc\AdvancedRun.exe" /SpecialRun 4101d8 3016
      4⤵
      PID:2392
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\BvIPT99aEAIm2TxeQXe4jP9I.exe" -Force
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 1
    3⤵
    PID:1232
- C:\Users\Admin\Documents\Vb6mYvH3lrttGWwKVevXVxhc.exe
  "C:\Users\Admin\Documents\Vb6mYvH3lrttGWwKVevXVxhc.exe"
  2⤵
  PID:2324
- C:\Users\Admin\Documents\8dNZoicPsyGV78NV2QvJOKxE.exe
  "C:\Users\Admin\Documents\8dNZoicPsyGV78NV2QvJOKxE.exe"
  2⤵
  PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im 8dNZoicPsyGV78NV2QvJOKxE.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\8dNZoicPsyGV78NV2QvJOKxE.exe" & del C:\ProgramData\*.dll & exit
    3⤵
    PID:2940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im 8dNZoicPsyGV78NV2QvJOKxE.exe /f
      4⤵
      Kills process with taskkill
      PID:3056
- C:\Users\Admin\Documents\N4yxJzlb9RzVdOsXzM7UPdhs.exe
  "C:\Users\Admin\Documents\N4yxJzlb9RzVdOsXzM7UPdhs.exe"
  2⤵
  PID:2300
- C:\Users\Admin\Documents\gSVXgTUjR2k3SwbhxjVdYyeB.exe
  "C:\Users\Admin\Documents\gSVXgTUjR2k3SwbhxjVdYyeB.exe"
  2⤵
  PID:2288
- C:\Users\Admin\Documents\iPAgey1yYqs5_hBizVJWcOcG.exe
  "C:\Users\Admin\Documents\iPAgey1yYqs5_hBizVJWcOcG.exe"
  2⤵
  PID:2276
- C:\Users\Admin\Documents\fZpH4IpRtAVb3Jv3zQOmGnWO.exe
  "C:\Users\Admin\Documents\fZpH4IpRtAVb3Jv3zQOmGnWO.exe"
  2⤵
  PID:2264
- C:\Users\Admin\Documents\UyVyRPG5sjCQnB1IshGj_jjx.exe
  "C:\Users\Admin\Documents\UyVyRPG5sjCQnB1IshGj_jjx.exe"
  2⤵
  PID:2252
- C:\Users\Admin\Documents\efK3MfcSzodMQQEm42sB9rFM.exe
  "C:\Users\Admin\Documents\efK3MfcSzodMQQEm42sB9rFM.exe"
  2⤵
  PID:2224
- C:\Users\Admin\Documents\LT2Q4I0K9HVBT0cuQUPnSIFh.exe
  "C:\Users\Admin\Documents\LT2Q4I0K9HVBT0cuQUPnSIFh.exe"
  2⤵
  PID:2232
- C:\Users\Admin\Documents\5IPQUYZ0a6AgHk4dt5HGiOid.exe
  "C:\Users\Admin\Documents\5IPQUYZ0a6AgHk4dt5HGiOid.exe"
  2⤵
  PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "5IPQUYZ0a6AgHk4dt5HGiOid.exe" /f & erase "C:\Users\Admin\Documents\5IPQUYZ0a6AgHk4dt5HGiOid.exe" & exit
    3⤵
    PID:2844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "5IPQUYZ0a6AgHk4dt5HGiOid.exe" /f
      4⤵
      Kills process with taskkill
      PID:2908
- C:\Users\Admin\Documents\BiHMY8VKkhDEMq4NiOezC_Ow.exe
  "C:\Users\Admin\Documents\BiHMY8VKkhDEMq4NiOezC_Ow.exe"
  2⤵
  PID:2188
- - C:\Program Files (x86)\Company\NewProduct\jooyu.exe
    "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
    3⤵
    PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:3028
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    PID:2176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 292
      4⤵
      Program crash
      PID:2560
- - C:\Program Files (x86)\Company\NewProduct\jingzhang.exe
    "C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"
    3⤵
    PID:1300
  - - C:\Windows\SysWOW64\rUNdlL32.eXe
      "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",shl
      4⤵
      PID:2840
- - C:\Program Files (x86)\Company\NewProduct\file4.exe
    "C:\Program Files (x86)\Company\NewProduct\file4.exe"
    3⤵
    PID:3068
- C:\Users\Admin\Documents\YIWxXA1sPOEv8YzAo0zTk8Km.exe
  "C:\Users\Admin\Documents\YIWxXA1sPOEv8YzAo0zTk8Km.exe"
  2⤵
  PID:2168
- - C:\Users\Admin\Documents\YIWxXA1sPOEv8YzAo0zTk8Km.exe
    C:\Users\Admin\Documents\YIWxXA1sPOEv8YzAo0zTk8Km.exe
    3⤵
    PID:2656
- C:\Users\Admin\Documents\84PjhIm_0RthLxZKRC0MIqPs.exe
  "C:\Users\Admin\Documents\84PjhIm_0RthLxZKRC0MIqPs.exe"
  2⤵
  PID:2392
- - C:\Windows\SysWOW64\rUNdlL32.eXe
    "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
    3⤵
    PID:3040
- C:\Users\Admin\Documents\x_Q8AIOH2UzwfaGoOCqxrZip.exe
  "C:\Users\Admin\Documents\x_Q8AIOH2UzwfaGoOCqxrZip.exe"
  2⤵
  PID:2408
- - C:\Users\Admin\Documents\x_Q8AIOH2UzwfaGoOCqxrZip.exe
    C:\Users\Admin\Documents\x_Q8AIOH2UzwfaGoOCqxrZip.exe
    3⤵
    PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:1800

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/680-151-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/900-149-0x0000000000450000-0x0000000000471000-memory.dmp

Filesize
132KB

Download
memory/900-148-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/900-137-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/900-150-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1696-60-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1996-163-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2020-107-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2020-84-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2020-83-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2020-81-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2020-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2168-200-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/2288-215-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2336-201-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/2408-203-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/2580-205-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/2624-218-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/2656-222-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2656-219-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2704-225-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads