Analysis

  • max time kernel
    123s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    23/12/2021, 13:27

General

  • Target

    80b8dec55830c1c296e7c531e6f554eef1195d9fcaf4084b9f92f2e55922b347.exe

  • Size

    7.1MB

  • MD5

    6a64d8457c2076f5710b5fe3df3c9ac5

  • SHA1

    99d36521728272036fda8e16f3a0942b97f57ad2

  • SHA256

    80b8dec55830c1c296e7c531e6f554eef1195d9fcaf4084b9f92f2e55922b347

  • SHA512

    e56192628de2f06a8ffca1e5f78ae317c016879b5ef8b611f858cbead65332675886f178e7b3bcdaf1f85bbb2993e03996a5f7d4a2c36fb848ebae982c4d1b27

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

vidar

Version

49.2

Botnet

915

C2

https://mstdn.social/@kipriauk9

https://qoto.org/@kipriauk8

Attributes
  • profile_id

    915

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

userv1

C2

159.69.246.184:13127

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 3 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 32 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
  • Modifies data under HKEY_USERS 6 IoCs
  • Modifies registry class 16 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:880
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:392
    • C:\Users\Admin\AppData\Local\Temp\80b8dec55830c1c296e7c531e6f554eef1195d9fcaf4084b9f92f2e55922b347.exe
      "C:\Users\Admin\AppData\Local\Temp\80b8dec55830c1c296e7c531e6f554eef1195d9fcaf4084b9f92f2e55922b347.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:308
      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
        "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:576
        • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\setup_install.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\setup_install.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:608
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
            4⤵
              PID:1280
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                5⤵
                  PID:1552
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                4⤵
                  PID:1616
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                    5⤵
                      PID:1224
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Thu06d8b7e7b709fd.exe
                    4⤵
                    • Loads dropped DLL
                    PID:1540
                    • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu06d8b7e7b709fd.exe
                      Thu06d8b7e7b709fd.exe
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Checks processor information in registry
                      PID:1424
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c taskkill /im Thu06d8b7e7b709fd.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu06d8b7e7b709fd.exe" & del C:\ProgramData\*.dll & exit
                        6⤵
                          PID:2248
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Thu06cb8edbec6b2a.exe
                      4⤵
                      • Loads dropped DLL
                      PID:2004
                      • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu06cb8edbec6b2a.exe
                        Thu06cb8edbec6b2a.exe
                        5⤵
                        • Executes dropped EXE
                        • Checks computer location settings
                        • Loads dropped DLL
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1840
                        • C:\Users\Admin\Pictures\Adobe Films\6aJAnz__AqT1XxDCbQeVFhwr.exe
                          "C:\Users\Admin\Pictures\Adobe Films\6aJAnz__AqT1XxDCbQeVFhwr.exe"
                          6⤵
                          • Executes dropped EXE
                          PID:2460
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1468
                          6⤵
                          • Program crash
                          PID:2692
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Thu061520c95edb9f.exe
                      4⤵
                      • Loads dropped DLL
                      PID:1624
                      • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu061520c95edb9f.exe
                        Thu061520c95edb9f.exe
                        5⤵
                        • Executes dropped EXE
                        PID:1308
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Thu06ac8e8b7f.exe
                      4⤵
                      • Loads dropped DLL
                      PID:1152
                      • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu06ac8e8b7f.exe
                        Thu06ac8e8b7f.exe
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:904
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Thu069fc37c007b1293.exe
                      4⤵
                      • Loads dropped DLL
                      PID:1652
                      • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu069fc37c007b1293.exe
                        Thu069fc37c007b1293.exe
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1964
                        • C:\Users\Admin\AppData\Local\4399d024-9510-4944-84d6-07224887a794.exe
                          "C:\Users\Admin\AppData\Local\4399d024-9510-4944-84d6-07224887a794.exe"
                          6⤵
                          • Executes dropped EXE
                          PID:2396
                        • C:\Users\Admin\AppData\Local\18c63426-bf46-4ccb-a5a5-6449512a420d.exe
                          "C:\Users\Admin\AppData\Local\18c63426-bf46-4ccb-a5a5-6449512a420d.exe"
                          6⤵
                          • Executes dropped EXE
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          PID:2900
                        • C:\Users\Admin\AppData\Local\15a70fbb-d2f7-43fe-87bc-6ef4bfc6e1ba.exe
                          "C:\Users\Admin\AppData\Local\15a70fbb-d2f7-43fe-87bc-6ef4bfc6e1ba.exe"
                          6⤵
                          • Executes dropped EXE
                          PID:3044
                          • C:\Users\Admin\AppData\Roaming\2907452.exe
                            "C:\Users\Admin\AppData\Roaming\2907452.exe"
                            7⤵
                              PID:2320
                              • C:\Windows\SysWOW64\control.exe
                                "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\ZO8YMp.CPL",
                                8⤵
                                  PID:868
                                  • C:\Windows\SysWOW64\rundll32.exe
                                    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\ZO8YMp.CPL",
                                    9⤵
                                      PID:2944
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Thu0602cfc5607d8.exe
                            4⤵
                            • Loads dropped DLL
                            PID:1952
                            • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu0602cfc5607d8.exe
                              Thu0602cfc5607d8.exe
                              5⤵
                              • Executes dropped EXE
                              PID:1192
                              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                6⤵
                                • Executes dropped EXE
                                PID:572
                              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                6⤵
                                • Executes dropped EXE
                                PID:2208
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Thu06d21e8ebe.exe
                            4⤵
                            • Loads dropped DLL
                            PID:1716
                            • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu06d21e8ebe.exe
                              Thu06d21e8ebe.exe
                              5⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:1608
                              • C:\Windows\SysWOW64\control.exe
                                "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",
                                6⤵
                                  PID:2912
                                  • C:\Windows\SysWOW64\rundll32.exe
                                    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",
                                    7⤵
                                      PID:2988
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Thu06e6e471d7c8.exe
                                4⤵
                                • Loads dropped DLL
                                PID:1756
                                • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu06e6e471d7c8.exe
                                  Thu06e6e471d7c8.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  PID:1712
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Thu0667f3f117.exe
                                4⤵
                                • Loads dropped DLL
                                PID:1052
                                • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu0667f3f117.exe
                                  Thu0667f3f117.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Suspicious use of SetThreadContext
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1000
                                  • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu0667f3f117.exe
                                    C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu0667f3f117.exe
                                    6⤵
                                    • Executes dropped EXE
                                    PID:2404
                                  • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu0667f3f117.exe
                                    C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu0667f3f117.exe
                                    6⤵
                                    • Executes dropped EXE
                                    PID:2052
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Thu06a4ef78de5a7.exe
                                4⤵
                                • Loads dropped DLL
                                PID:1992
                                • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu06a4ef78de5a7.exe
                                  Thu06a4ef78de5a7.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Modifies system certificate store
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1760
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd.exe /c taskkill /f /im chrome.exe
                                    6⤵
                                      PID:2572
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill /f /im chrome.exe
                                        7⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2744
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1424
                                      6⤵
                                      • Program crash
                                      PID:2884
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c Thu06a62b896d29c9cfc.exe
                                  4⤵
                                  • Loads dropped DLL
                                  PID:1128
                                  • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu06a62b896d29c9cfc.exe
                                    Thu06a62b896d29c9cfc.exe
                                    5⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Checks SCSI registry key(s)
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious behavior: MapViewOfSection
                                    PID:1972
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c Thu06d604ebf18a3.exe /mixtwo
                                  4⤵
                                    PID:1920
                                    • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu06d604ebf18a3.exe
                                      Thu06d604ebf18a3.exe /mixtwo
                                      5⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Suspicious use of SetThreadContext
                                      PID:1316
                                      • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu06d604ebf18a3.exe
                                        Thu06d604ebf18a3.exe /mixtwo
                                        6⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        PID:1752
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /c taskkill /im "Thu06d604ebf18a3.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu06d604ebf18a3.exe" & exit
                                          7⤵
                                            PID:2336
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /im "Thu06d604ebf18a3.exe" /f
                                              8⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2468
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c Thu0628294ec01ad787.exe
                                      4⤵
                                      • Loads dropped DLL
                                      PID:1996
                                      • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu0628294ec01ad787.exe
                                        Thu0628294ec01ad787.exe
                                        5⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:460
                                        • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu0628294ec01ad787.exe
                                          C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu0628294ec01ad787.exe
                                          6⤵
                                          • Executes dropped EXE
                                          PID:2952
                                        • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu0628294ec01ad787.exe
                                          C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu0628294ec01ad787.exe
                                          6⤵
                                            PID:2260
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c Thu065d27198d93a62.exe
                                        4⤵
                                        • Loads dropped DLL
                                        PID:1176
                                        • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu065d27198d93a62.exe
                                          Thu065d27198d93a62.exe
                                          5⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          PID:636
                                          • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu065d27198d93a62.exe
                                            "C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu065d27198d93a62.exe" -u
                                            6⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            PID:1920
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c Thu06e47bfad31710.exe
                                        4⤵
                                        • Loads dropped DLL
                                        PID:308
                                        • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu06e47bfad31710.exe
                                          Thu06e47bfad31710.exe
                                          5⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          PID:900
                                          • C:\Users\Admin\AppData\Local\Temp\is-UI5CL.tmp\Thu06e47bfad31710.tmp
                                            "C:\Users\Admin\AppData\Local\Temp\is-UI5CL.tmp\Thu06e47bfad31710.tmp" /SL5="$A0154,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu06e47bfad31710.exe"
                                            6⤵
                                            • Executes dropped EXE
                                            PID:1380
                                            • C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu06e47bfad31710.exe
                                              "C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu06e47bfad31710.exe" /SILENT
                                              7⤵
                                              • Executes dropped EXE
                                              PID:2072
                                              • C:\Users\Admin\AppData\Local\Temp\is-06BBD.tmp\Thu06e47bfad31710.tmp
                                                "C:\Users\Admin\AppData\Local\Temp\is-06BBD.tmp\Thu06e47bfad31710.tmp" /SL5="$20162,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS042C47F5\Thu06e47bfad31710.exe" /SILENT
                                                8⤵
                                                • Executes dropped EXE
                                                • Drops file in Program Files directory
                                                • Suspicious use of FindShellTrayWindow
                                                PID:2144
                                                • C:\Users\Admin\AppData\Local\Temp\is-LGR06.tmp\windllhost.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\is-LGR06.tmp\windllhost.exe" 77
                                                  9⤵
                                                  • Executes dropped EXE
                                                  PID:2228
                                • C:\Windows\system32\rundll32.exe
                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                  1⤵
                                  • Process spawned unexpected child process
                                  PID:2840
                                  • C:\Windows\SysWOW64\rundll32.exe
                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                    2⤵
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2872

                                Network

                                      MITRE ATT&CK Enterprise v6

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • memory/308-54-0x0000000076491000-0x0000000076493000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/392-275-0x00000000003B0000-0x0000000000422000-memory.dmp

                                        Filesize

                                        456KB

                                      • memory/460-285-0x0000000000310000-0x0000000000311000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/460-232-0x0000000000950000-0x00000000009DC000-memory.dmp

                                        Filesize

                                        560KB

                                      • memory/460-230-0x0000000000950000-0x00000000009DC000-memory.dmp

                                        Filesize

                                        560KB

                                      • memory/460-281-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/572-223-0x0000000000400000-0x0000000000455000-memory.dmp

                                        Filesize

                                        340KB

                                      • memory/608-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                        Filesize

                                        1.5MB

                                      • memory/608-97-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                        Filesize

                                        152KB

                                      • memory/608-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                        Filesize

                                        572KB

                                      • memory/608-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                        Filesize

                                        572KB

                                      • memory/608-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                        Filesize

                                        1.5MB

                                      • memory/608-96-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                        Filesize

                                        1.5MB

                                      • memory/608-92-0x0000000064940000-0x0000000064959000-memory.dmp

                                        Filesize

                                        100KB

                                      • memory/608-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                        Filesize

                                        1.5MB

                                      • memory/608-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                        Filesize

                                        572KB

                                      • memory/608-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                        Filesize

                                        1.5MB

                                      • memory/608-91-0x0000000064940000-0x0000000064959000-memory.dmp

                                        Filesize

                                        100KB

                                      • memory/608-95-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                        Filesize

                                        572KB

                                      • memory/608-93-0x0000000064940000-0x0000000064959000-memory.dmp

                                        Filesize

                                        100KB

                                      • memory/608-94-0x0000000064940000-0x0000000064959000-memory.dmp

                                        Filesize

                                        100KB

                                      • memory/608-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                        Filesize

                                        152KB

                                      • memory/880-272-0x00000000028D0000-0x0000000002942000-memory.dmp

                                        Filesize

                                        456KB

                                      • memory/880-270-0x0000000000AA0000-0x0000000000AED000-memory.dmp

                                        Filesize

                                        308KB

                                      • memory/900-217-0x0000000000400000-0x00000000004CC000-memory.dmp

                                        Filesize

                                        816KB

                                      • memory/904-251-0x000000001B3A0000-0x000000001B3A2000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/904-210-0x0000000000080000-0x0000000000088000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/904-209-0x0000000000080000-0x0000000000088000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/1000-229-0x0000000000EA0000-0x0000000000F2C000-memory.dmp

                                        Filesize

                                        560KB

                                      • memory/1000-282-0x0000000004E90000-0x0000000004E91000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/1000-231-0x0000000000EA0000-0x0000000000F2C000-memory.dmp

                                        Filesize

                                        560KB

                                      • memory/1000-286-0x0000000000680000-0x0000000000681000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/1224-245-0x0000000001E90000-0x0000000002ADA000-memory.dmp

                                        Filesize

                                        12.3MB

                                      • memory/1224-242-0x0000000001E90000-0x0000000002ADA000-memory.dmp

                                        Filesize

                                        12.3MB

                                      • memory/1224-253-0x0000000001E90000-0x0000000002ADA000-memory.dmp

                                        Filesize

                                        12.3MB

                                      • memory/1380-220-0x0000000000260000-0x0000000000261000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/1412-279-0x0000000002760000-0x0000000002776000-memory.dmp

                                        Filesize

                                        88KB

                                      • memory/1424-258-0x0000000000400000-0x00000000008B0000-memory.dmp

                                        Filesize

                                        4.7MB

                                      • memory/1424-257-0x0000000002340000-0x0000000002415000-memory.dmp

                                        Filesize

                                        852KB

                                      • memory/1424-256-0x00000000008B0000-0x000000000092C000-memory.dmp

                                        Filesize

                                        496KB

                                      • memory/1552-243-0x0000000001F30000-0x0000000002B7A000-memory.dmp

                                        Filesize

                                        12.3MB

                                      • memory/1552-246-0x0000000001F30000-0x0000000002B7A000-memory.dmp

                                        Filesize

                                        12.3MB

                                      • memory/1752-207-0x0000000000400000-0x0000000000450000-memory.dmp

                                        Filesize

                                        320KB

                                      • memory/1752-212-0x0000000000400000-0x0000000000450000-memory.dmp

                                        Filesize

                                        320KB

                                      • memory/1752-202-0x0000000000400000-0x0000000000450000-memory.dmp

                                        Filesize

                                        320KB

                                      • memory/1752-201-0x0000000000400000-0x0000000000450000-memory.dmp

                                        Filesize

                                        320KB

                                      • memory/1840-271-0x0000000003EF0000-0x000000000403E000-memory.dmp

                                        Filesize

                                        1.3MB

                                      • memory/1964-241-0x00000000004A0000-0x00000000004D6000-memory.dmp

                                        Filesize

                                        216KB

                                      • memory/1964-211-0x0000000001310000-0x000000000135A000-memory.dmp

                                        Filesize

                                        296KB

                                      • memory/1964-235-0x0000000000250000-0x0000000000256000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/1964-247-0x00000000003E0000-0x00000000003E6000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/1964-208-0x0000000001310000-0x000000000135A000-memory.dmp

                                        Filesize

                                        296KB

                                      • memory/1964-240-0x000000001AD30000-0x000000001AD32000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/1972-278-0x0000000000400000-0x000000000083D000-memory.dmp

                                        Filesize

                                        4.2MB

                                      • memory/1972-277-0x0000000000250000-0x0000000000259000-memory.dmp

                                        Filesize

                                        36KB

                                      • memory/1972-276-0x0000000000240000-0x0000000000248000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2052-334-0x0000000000400000-0x0000000000420000-memory.dmp

                                        Filesize

                                        128KB

                                      • memory/2072-228-0x0000000000400000-0x00000000004CC000-memory.dmp

                                        Filesize

                                        816KB

                                      • memory/2144-239-0x0000000000260000-0x0000000000261000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/2208-238-0x0000000000400000-0x000000000047C000-memory.dmp

                                        Filesize

                                        496KB

                                      • memory/2396-299-0x00000000004A0000-0x00000000004A6000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/2396-296-0x0000000000F50000-0x0000000000F9C000-memory.dmp

                                        Filesize

                                        304KB

                                      • memory/2396-319-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/2396-306-0x0000000000550000-0x0000000000556000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/2396-302-0x0000000000500000-0x000000000054E000-memory.dmp

                                        Filesize

                                        312KB

                                      • memory/2396-297-0x0000000000F50000-0x0000000000F9C000-memory.dmp

                                        Filesize

                                        304KB

                                      • memory/2692-298-0x00000000003A0000-0x00000000003A1000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/2872-267-0x00000000009B0000-0x0000000000AB1000-memory.dmp

                                        Filesize

                                        1.0MB

                                      • memory/2872-269-0x0000000000780000-0x00000000007DD000-memory.dmp

                                        Filesize

                                        372KB

                                      • memory/2884-287-0x0000000000420000-0x0000000000421000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/2900-303-0x0000000000190000-0x00000000001D5000-memory.dmp

                                        Filesize

                                        276KB

                                      • memory/2988-289-0x00000000001C0000-0x00000000001C1000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/2988-290-0x00000000020B0000-0x000000000216B000-memory.dmp

                                        Filesize

                                        748KB

                                      • memory/2988-291-0x000000002D8C0000-0x000000002D979000-memory.dmp

                                        Filesize

                                        740KB

                                      • memory/3044-309-0x0000000000CB0000-0x0000000000CE4000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/3044-310-0x0000000000CB0000-0x0000000000CE4000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/3044-313-0x0000000000570000-0x0000000000576000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/3044-317-0x0000000002300000-0x0000000002301000-memory.dmp

                                        Filesize

                                        4KB