redline | 20ff7a2712194766e9b76a58af90bbe90dfb53a181a7499e24e3ababdc81cb44

Analysis

max time kernel
14s
max time network
104s
platform
windows10_x64
resource
win10v20210408
submitted
23-06-2021 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main_setup_x86x64.exe

Score

10^/10

redline smokeloader vidar 706 7500 903 cana servani aspackv2 backdoor evasion infostealer stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

ServAni

87.251.71.195:82

Extracted

Family

redline

Botnet

7500

ahannnavod.xyz:80

Extracted

Family

redline

Botnet

Cana

176.111.174.254:56328

Extracted

Family

smokeloader

Version

2020

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/

rc4.i32

Extracted

Family

vidar

Version

39.4

Botnet

706

https://sergeevih43.tumblr.com

Attributes

profile_id
706

Extracted

Family

vidar

Version

39.4

Botnet

903

https://sergeevih43.tumblr.com

Attributes

profile_id
903

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

resource	yara_rule
behavioral2/memory/1908-194-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/1908-195-0x0000000000417F26-mapping.dmp	family_redline
behavioral2/memory/4656-271-0x0000000000417E32-mapping.dmp	family_redline
behavioral2/memory/4656-269-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/792-300-0x00000000028D0000-0x00000000028E9000-memory.dmp	family_redline
behavioral2/memory/792-294-0x0000000002660000-0x000000000267B000-memory.dmp	family_redline
behavioral2/memory/1252-339-0x0000000000417E36-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral2/memory/3908-283-0x00000000025E0000-0x000000000267D000-memory.dmp	family_vidar
behavioral2/memory/3908-308-0x0000000000400000-0x000000000094D000-memory.dmp	family_vidar
behavioral2/memory/4520-338-0x000000000046B76D-mapping.dmp	family_vidar
behavioral2/memory/4520-340-0x0000000000400000-0x00000000004A1000-memory.dmp	family_vidar

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000100000001ab50-118.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab50-119.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab4c-122.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab4c-124.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab4b-123.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab4b-129.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab4b-127.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab4e-126.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab4e-130.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
3264	setup_installer.exe
3164	setup_install.exe
1936	sotema_2.exe
3984	sotema_1.exe
636	sotema_9.exe
1768	sotema_5.exe
3908	sotema_3.exe
792	sotema_7.exe
2296	sotema_6.exe
3200	sotema_4.exe
1624	sotema_8.exe
2144	sotema_9.tmp
3996	jfiag3g_gg.exe
1908	sotema_8.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000200000001ab4b-192.dat	upx
behavioral2/files/0x000200000001ab4b-191.dat	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	sotema_1.exe

Loads dropped DLL 7 IoCs

pid	Process
3164	setup_install.exe
3164	setup_install.exe
3164	setup_install.exe
3164	setup_install.exe
3164	setup_install.exe
3164	setup_install.exe
2144	sotema_9.tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ipinfo.io
11	ipinfo.io
13	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1624 set thread context of 1908	1624	sotema_8.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4856	4236	WerFault.exe	114

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1768	sotema_5.exe
Token: SeDebugPrivilege	1624	sotema_8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 3264	516	main_setup_x86x64.exe	75
PID 516 wrote to memory of 3264	516	main_setup_x86x64.exe	75
PID 516 wrote to memory of 3264	516	main_setup_x86x64.exe	75
PID 3264 wrote to memory of 3164	3264	setup_installer.exe	76
PID 3264 wrote to memory of 3164	3264	setup_installer.exe	76
PID 3264 wrote to memory of 3164	3264	setup_installer.exe	76
PID 3164 wrote to memory of 788	3164	setup_install.exe	80
PID 3164 wrote to memory of 788	3164	setup_install.exe	80
PID 3164 wrote to memory of 788	3164	setup_install.exe	80
PID 3164 wrote to memory of 3460	3164	setup_install.exe	79
PID 3164 wrote to memory of 3460	3164	setup_install.exe	79
PID 3164 wrote to memory of 3460	3164	setup_install.exe	79
PID 3164 wrote to memory of 1348	3164	setup_install.exe	81
PID 3164 wrote to memory of 1348	3164	setup_install.exe	81
PID 3164 wrote to memory of 1348	3164	setup_install.exe	81
PID 3164 wrote to memory of 2112	3164	setup_install.exe	82
PID 3164 wrote to memory of 2112	3164	setup_install.exe	82
PID 3164 wrote to memory of 2112	3164	setup_install.exe	82
PID 3164 wrote to memory of 2772	3164	setup_install.exe	83
PID 3164 wrote to memory of 2772	3164	setup_install.exe	83
PID 3164 wrote to memory of 2772	3164	setup_install.exe	83
PID 3164 wrote to memory of 3080	3164	setup_install.exe	84
PID 3164 wrote to memory of 3080	3164	setup_install.exe	84
PID 3164 wrote to memory of 3080	3164	setup_install.exe	84
PID 3164 wrote to memory of 3912	3164	setup_install.exe	85
PID 3164 wrote to memory of 3912	3164	setup_install.exe	85
PID 3164 wrote to memory of 3912	3164	setup_install.exe	85
PID 3164 wrote to memory of 920	3164	setup_install.exe	86
PID 3164 wrote to memory of 920	3164	setup_install.exe	86
PID 3164 wrote to memory of 920	3164	setup_install.exe	86
PID 3164 wrote to memory of 2360	3164	setup_install.exe	87
PID 3164 wrote to memory of 2360	3164	setup_install.exe	87
PID 3164 wrote to memory of 2360	3164	setup_install.exe	87
PID 788 wrote to memory of 3984	788	cmd.exe	96
PID 788 wrote to memory of 3984	788	cmd.exe	96
PID 788 wrote to memory of 3984	788	cmd.exe	96
PID 3460 wrote to memory of 1936	3460	cmd.exe	95
PID 3460 wrote to memory of 1936	3460	cmd.exe	95
PID 3460 wrote to memory of 1936	3460	cmd.exe	95
PID 2360 wrote to memory of 636	2360	cmd.exe	94
PID 2360 wrote to memory of 636	2360	cmd.exe	94
PID 2360 wrote to memory of 636	2360	cmd.exe	94
PID 2772 wrote to memory of 1768	2772	cmd.exe	93
PID 2772 wrote to memory of 1768	2772	cmd.exe	93
PID 1348 wrote to memory of 3908	1348	cmd.exe	91
PID 1348 wrote to memory of 3908	1348	cmd.exe	91
PID 1348 wrote to memory of 3908	1348	cmd.exe	91
PID 3912 wrote to memory of 792	3912	cmd.exe	88
PID 3912 wrote to memory of 792	3912	cmd.exe	88
PID 3912 wrote to memory of 792	3912	cmd.exe	88
PID 2112 wrote to memory of 3200	2112	cmd.exe	90
PID 2112 wrote to memory of 3200	2112	cmd.exe	90
PID 2112 wrote to memory of 3200	2112	cmd.exe	90
PID 3080 wrote to memory of 2296	3080	cmd.exe	89
PID 3080 wrote to memory of 2296	3080	cmd.exe	89
PID 3080 wrote to memory of 2296	3080	cmd.exe	89
PID 920 wrote to memory of 1624	920	cmd.exe	92
PID 920 wrote to memory of 1624	920	cmd.exe	92
PID 920 wrote to memory of 1624	920	cmd.exe	92
PID 636 wrote to memory of 2144	636	sotema_9.exe	97
PID 636 wrote to memory of 2144	636	sotema_9.exe	97
PID 636 wrote to memory of 2144	636	sotema_9.exe	97
PID 1624 wrote to memory of 1908	1624	sotema_8.exe	98
PID 1624 wrote to memory of 1908	1624	sotema_8.exe	98

C:\Users\Admin\AppData\Local\Temp\main_setup_x86x64.exe
"C:\Users\Admin\AppData\Local\Temp\main_setup_x86x64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:516
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Users\Admin\AppData\Local\Temp\7zS0CCE6754\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0CCE6754\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sotema_2.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3460
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CCE6754\sotema_2.exe
        
        sotema_2.exe
        5⤵
        Executes dropped EXE
        
        PID:1936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sotema_1.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:788
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CCE6754\sotema_1.exe
        
        sotema_1.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3984
      - C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
        6⤵
        
        PID:4352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sotema_3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1348
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CCE6754\sotema_3.exe
        
        sotema_3.exe
        5⤵
        Executes dropped EXE
        
        PID:3908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sotema_4.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CCE6754\sotema_4.exe
        
        sotema_4.exe
        5⤵
        Executes dropped EXE
        
        PID:3200
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        Executes dropped EXE
        
        PID:3996
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:4504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sotema_5.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CCE6754\sotema_5.exe
        
        sotema_5.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sotema_6.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3080
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CCE6754\sotema_6.exe
        
        sotema_6.exe
        5⤵
        Executes dropped EXE
        
        PID:2296
      - C:\Users\Admin\Documents\TDVX0oIyQbUXGO6m8aKwyahC.exe
        
        "C:\Users\Admin\Documents\TDVX0oIyQbUXGO6m8aKwyahC.exe"
        6⤵
        
        PID:4340
        
        C:\Users\Admin\Documents\TDVX0oIyQbUXGO6m8aKwyahC.exe
        
        "C:\Users\Admin\Documents\TDVX0oIyQbUXGO6m8aKwyahC.exe"
        7⤵
        
        PID:4084
      - C:\Users\Admin\Documents\vEcN08Deai447lObhReWvndj.exe
        
        "C:\Users\Admin\Documents\vEcN08Deai447lObhReWvndj.exe"
        6⤵
        
        PID:4412
      - C:\Users\Admin\Documents\4WsuKxmD5_loUw5NFtrmDUbG.exe
        
        "C:\Users\Admin\Documents\4WsuKxmD5_loUw5NFtrmDUbG.exe"
        6⤵
        
        PID:4400
        
        C:\Users\Admin\Documents\4WsuKxmD5_loUw5NFtrmDUbG.exe
        
        C:\Users\Admin\Documents\4WsuKxmD5_loUw5NFtrmDUbG.exe
        7⤵
        
        PID:4656
      - C:\Users\Admin\Documents\2WZS5uIEparwEj7vNjfvznbg.exe
        
        "C:\Users\Admin\Documents\2WZS5uIEparwEj7vNjfvznbg.exe"
        6⤵
        
        PID:4388
      - C:\Users\Admin\Documents\cNo5wGhwOMoFcLoITLgXN0Is.exe
        
        "C:\Users\Admin\Documents\cNo5wGhwOMoFcLoITLgXN0Is.exe"
        6⤵
        
        PID:4376
      - C:\Users\Admin\Documents\ZsRYXvkDNNXLWOqY1REXVALR.exe
        
        "C:\Users\Admin\Documents\ZsRYXvkDNNXLWOqY1REXVALR.exe"
        6⤵
        
        PID:4708
        
        C:\Users\Admin\Documents\ZsRYXvkDNNXLWOqY1REXVALR.exe
        
        C:\Users\Admin\Documents\ZsRYXvkDNNXLWOqY1REXVALR.exe
        7⤵
        
        PID:4520
      - C:\Users\Admin\Documents\gwq4qASYApQRZ6739zTbMoRD.exe
        
        "C:\Users\Admin\Documents\gwq4qASYApQRZ6739zTbMoRD.exe"
        6⤵
        
        PID:4740
        
        C:\Users\Admin\Documents\gwq4qASYApQRZ6739zTbMoRD.exe
        
        C:\Users\Admin\Documents\gwq4qASYApQRZ6739zTbMoRD.exe
        7⤵
        
        PID:1252
      - C:\Users\Admin\Documents\dv7omecIV1WBDzZMpAi_d6Ht.exe
        
        "C:\Users\Admin\Documents\dv7omecIV1WBDzZMpAi_d6Ht.exe"
        6⤵
        
        PID:4044
      - C:\Users\Admin\Documents\_VF3RQqz4lnh8Kh5vHhk5_jX.exe
        
        "C:\Users\Admin\Documents\_VF3RQqz4lnh8Kh5vHhk5_jX.exe"
        6⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 892
        7⤵
        Program crash
        
        PID:4856
      - C:\Users\Admin\Documents\9BmKBKAEAkg_GsTMfMBTLs0H.exe
        
        "C:\Users\Admin\Documents\9BmKBKAEAkg_GsTMfMBTLs0H.exe"
        6⤵
        
        PID:3632
      - C:\Users\Admin\Documents\edpivxdi7nK3d9CdvodSqcJs.exe
        
        "C:\Users\Admin\Documents\edpivxdi7nK3d9CdvodSqcJs.exe"
        6⤵
        
        PID:3368
      - C:\Users\Admin\Documents\emdulBaqnKGV1t3tKcQiPwGC.exe
        
        "C:\Users\Admin\Documents\emdulBaqnKGV1t3tKcQiPwGC.exe"
        6⤵
        
        PID:4408
      - C:\Users\Admin\Documents\r9JxR5mQHQH5DGpgQS3YXHyr.exe
        
        "C:\Users\Admin\Documents\r9JxR5mQHQH5DGpgQS3YXHyr.exe"
        6⤵
        
        PID:952
      - C:\Users\Admin\Documents\hPg53tmkGnFtbtkUg5wmXSaO.exe
        
        "C:\Users\Admin\Documents\hPg53tmkGnFtbtkUg5wmXSaO.exe"
        6⤵
        
        PID:4788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sotema_7.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3912
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CCE6754\sotema_7.exe
        
        sotema_7.exe
        5⤵
        Executes dropped EXE
        
        PID:792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sotema_8.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:920
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CCE6754\sotema_8.exe
        
        sotema_8.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
      - C:\Users\Admin\AppData\Local\Temp\7zS0CCE6754\sotema_8.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0CCE6754\sotema_8.exe
        6⤵
        Executes dropped EXE
        
        PID:1908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sotema_9.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CCE6754\sotema_9.exe
        
        sotema_9.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:636
      - C:\Users\Admin\AppData\Local\Temp\is-3BJTM.tmp\sotema_9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3BJTM.tmp\sotema_9.tmp" /SL5="$3002E,161510,77824,C:\Users\Admin\AppData\Local\Temp\7zS0CCE6754\sotema_9.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\is-PO6BG.tmp\gucca.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-PO6BG.tmp\gucca.exe" /S /UID=lab212
        7⤵
        
        PID:4280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-249-0x0000028951A60000-0x0000028951AD1000-memory.dmp

Filesize
452KB

Download
memory/636-175-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/792-294-0x0000000002660000-0x000000000267B000-memory.dmp

Filesize
108KB

Download
memory/792-292-0x0000000000A00000-0x0000000000B4A000-memory.dmp

Filesize
1.3MB

Download
memory/792-331-0x0000000000400000-0x000000000090A000-memory.dmp

Filesize
5.0MB

Download
memory/792-300-0x00000000028D0000-0x00000000028E9000-memory.dmp

Filesize
100KB

Download
memory/792-299-0x00000000050C2000-0x00000000050C3000-memory.dmp

Filesize
4KB

Download
memory/792-336-0x00000000050C3000-0x00000000050C4000-memory.dmp

Filesize
4KB

Download
memory/792-335-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/792-304-0x00000000050C4000-0x00000000050C6000-memory.dmp

Filesize
8KB

Download
memory/928-235-0x000001EB404E0000-0x000001EB4052C000-memory.dmp

Filesize
304KB

Download
memory/928-234-0x000001EB405A0000-0x000001EB40611000-memory.dmp

Filesize
452KB

Download
memory/1044-332-0x0000012700510000-0x0000012700581000-memory.dmp

Filesize
452KB

Download
memory/1092-314-0x00000265F7700000-0x00000265F7771000-memory.dmp

Filesize
452KB

Download
memory/1228-329-0x0000020D98540000-0x0000020D985B1000-memory.dmp

Filesize
452KB

Download
memory/1252-341-0x0000000005400000-0x0000000005A06000-memory.dmp

Filesize
6.0MB

Download
memory/1296-323-0x000001929F660000-0x000001929F6D1000-memory.dmp

Filesize
452KB

Download
memory/1380-301-0x000001C362470000-0x000001C3624E1000-memory.dmp

Filesize
452KB

Download
memory/1624-189-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/1624-182-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1768-185-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/1768-176-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/1768-181-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/1768-188-0x00000000028B0000-0x00000000028B2000-memory.dmp

Filesize
8KB

Download
memory/1768-184-0x00000000028C0000-0x00000000028E0000-memory.dmp

Filesize
128KB

Download
memory/1836-312-0x000002B6DE8B0000-0x000002B6DE921000-memory.dmp

Filesize
452KB

Download
memory/1908-201-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/1908-199-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/1908-200-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/1908-194-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1908-202-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/1908-206-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/1908-233-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/1936-333-0x0000000000900000-0x0000000000A4A000-memory.dmp

Filesize
1.3MB

Download
memory/1936-334-0x0000000000400000-0x00000000008F8000-memory.dmp

Filesize
5.0MB

Download
memory/1964-318-0x0000000001310000-0x0000000001326000-memory.dmp

Filesize
88KB

Download
memory/2144-187-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2368-260-0x000001B8B0BA0000-0x000001B8B0C11000-memory.dmp

Filesize
452KB

Download
memory/2388-272-0x0000015BBB140000-0x0000015BBB1B1000-memory.dmp

Filesize
452KB

Download
memory/2604-246-0x0000029CE8300000-0x0000029CE8371000-memory.dmp

Filesize
452KB

Download
memory/2700-326-0x0000028873E30000-0x0000028873EA1000-memory.dmp

Filesize
452KB

Download
memory/2716-328-0x000001E9E0F00000-0x000001E9E0F71000-memory.dmp

Filesize
452KB

Download
memory/3164-147-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3164-150-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3164-148-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3164-149-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3164-131-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3164-134-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3164-132-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3164-133-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3908-283-0x00000000025E0000-0x000000000267D000-memory.dmp

Filesize
628KB

Download
memory/3908-308-0x0000000000400000-0x000000000094D000-memory.dmp

Filesize
5.3MB

Download
memory/4280-220-0x00000000027D0000-0x00000000027D2000-memory.dmp

Filesize
8KB

Download
memory/4352-232-0x0000000002AB0000-0x0000000002B0D000-memory.dmp

Filesize
372KB

Download
memory/4352-230-0x000000000462E000-0x000000000472F000-memory.dmp

Filesize
1.0MB

Download
memory/4400-227-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/4408-344-0x0000000000500000-0x000000000064A000-memory.dmp

Filesize
1.3MB

Download
memory/4408-345-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4520-340-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/4648-343-0x0000013B8EB90000-0x0000013B8EC96000-memory.dmp

Filesize
1.0MB

Download
memory/4648-342-0x0000013B8C4D0000-0x0000013B8C4EB000-memory.dmp

Filesize
108KB

Download
memory/4648-270-0x0000013B8C600000-0x0000013B8C671000-memory.dmp

Filesize
452KB

Download
memory/4656-290-0x0000000004EF0000-0x00000000054F6000-memory.dmp

Filesize
6.0MB

Download
memory/4656-269-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4708-261-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/4708-254-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/4708-275-0x0000000004D10000-0x000000000520E000-memory.dmp

Filesize
5.0MB

Download
memory/4708-276-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/4708-265-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/4740-255-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/4740-285-0x0000000004F10000-0x000000000540E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads