redline | 2f4436227631fbfc70b98404559985ec59119ef620bc856f127d2cf927659be0

General

Target

SkyBlade/StartGame.exe
Size

3.3MB
MD5

6cc724aeb4a4b65ec4c162f88bcd251c
SHA1

1eabb1cdb279a90518654f58071674bc8db62511
SHA256

e5963aca74fd4fca8fbd1f4189cb726f4c1acffd39fe28626e8eafdf82e147a9
SHA512

e9703dd68996474eaf17fbc992e766bcac89523cfc8598d180a417bdbbed832d05e01cb5fc8907ff478bc6adc020e819297a5154ad1025c9377918f1683d0186

Score

10^/10

redline 1 evasion infostealer persistence spyware trojan upx

Malware Config

Extracted

Family

redline

Botnet

1

C2

65.108.5.252:43673

Attributes

auth_value
95517c2a2f56575288c35d9dfde4a6aa

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2260-134-0x00000000001D0000-0x00000000001F0000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

esss.exeOneDrive.exe

pid process

2380 esss.exe
5012 OneDrive.exe

pid	process
2380	esss.exe
5012	OneDrive.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1144-170-0x0000000140000000-0x0000000142B59000-memory.dmp	upx
behavioral2/memory/1144-172-0x0000000140000000-0x0000000142B59000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

StartGame.exeesss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	StartGame.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	StartGame.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	esss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	esss.exe

Loads dropped DLL 1 IoCs

Processes:

OneDrive.exe

pid process

5012 OneDrive.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5012	OneDrive.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

REG.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe"	REG.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

StartGame.exeesss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartGame.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	esss.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 ipinfo.io

flow	ioc
35	ipinfo.io

Suspicious use of SetThreadContext 17 IoCs

Processes:

StartGame.exeesss.exeOneDrive.exe

description	pid	process	target process
PID 3948 set thread context of 2260	3948	StartGame.exe	AppLaunch.exe
PID 2380 set thread context of 3600	2380	esss.exe	AppLaunch.exe
PID 5012 set thread context of 1144	5012	OneDrive.exe	svchost.exe
PID 5012 set thread context of 4564	5012	OneDrive.exe	svchost.exe
PID 5012 set thread context of 2868	5012	OneDrive.exe	svchost.exe
PID 5012 set thread context of 3140	5012	OneDrive.exe	svchost.exe
PID 5012 set thread context of 3032	5012	OneDrive.exe	svchost.exe
PID 5012 set thread context of 1808	5012	OneDrive.exe	svchost.exe
PID 5012 set thread context of 3000	5012	OneDrive.exe	svchost.exe
PID 5012 set thread context of 2572	5012	OneDrive.exe	svchost.exe
PID 5012 set thread context of 3252	5012	OneDrive.exe	svchost.exe
PID 5012 set thread context of 5100	5012	OneDrive.exe	svchost.exe
PID 5012 set thread context of 4660	5012	OneDrive.exe	svchost.exe
PID 5012 set thread context of 4816	5012	OneDrive.exe	svchost.exe
PID 5012 set thread context of 5056	5012	OneDrive.exe	svchost.exe
PID 5012 set thread context of 1944	5012	OneDrive.exe	svchost.exe
PID 5012 set thread context of 4764	5012	OneDrive.exe	svchost.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

REG.exeREG.exe

pid process

1164 REG.exe
2796 REG.exe

pid	process
1164	REG.exe
2796	REG.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exeAppLaunch.exeOneDrive.exe

pid	process
2260	AppLaunch.exe
3600	AppLaunch.exe
3600	AppLaunch.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe
5012	OneDrive.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2260 AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2260	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

StartGame.exeAppLaunch.exeesss.exeAppLaunch.exeOneDrive.exe

description	pid	process	target process
PID 3948 wrote to memory of 2260	3948	StartGame.exe	AppLaunch.exe
PID 3948 wrote to memory of 2260	3948	StartGame.exe	AppLaunch.exe
PID 3948 wrote to memory of 2260	3948	StartGame.exe	AppLaunch.exe
PID 3948 wrote to memory of 2260	3948	StartGame.exe	AppLaunch.exe
PID 3948 wrote to memory of 2260	3948	StartGame.exe	AppLaunch.exe
PID 2260 wrote to memory of 2380	2260	AppLaunch.exe	esss.exe
PID 2260 wrote to memory of 2380	2260	AppLaunch.exe	esss.exe
PID 2260 wrote to memory of 2380	2260	AppLaunch.exe	esss.exe
PID 2380 wrote to memory of 3600	2380	esss.exe	AppLaunch.exe
PID 2380 wrote to memory of 3600	2380	esss.exe	AppLaunch.exe
PID 2380 wrote to memory of 3600	2380	esss.exe	AppLaunch.exe
PID 2380 wrote to memory of 3600	2380	esss.exe	AppLaunch.exe
PID 2380 wrote to memory of 3600	2380	esss.exe	AppLaunch.exe
PID 3600 wrote to memory of 5012	3600	AppLaunch.exe	OneDrive.exe
PID 3600 wrote to memory of 5012	3600	AppLaunch.exe	OneDrive.exe
PID 3600 wrote to memory of 2796	3600	AppLaunch.exe	REG.exe
PID 3600 wrote to memory of 2796	3600	AppLaunch.exe	REG.exe
PID 3600 wrote to memory of 2796	3600	AppLaunch.exe	REG.exe
PID 3600 wrote to memory of 1164	3600	AppLaunch.exe	REG.exe
PID 3600 wrote to memory of 1164	3600	AppLaunch.exe	REG.exe
PID 3600 wrote to memory of 1164	3600	AppLaunch.exe	REG.exe
PID 5012 wrote to memory of 1144	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 1144	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 1144	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 1144	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 1144	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 1144	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 1144	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 1144	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 1144	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 4564	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 4564	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 4564	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 4564	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 4564	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 4564	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 4564	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 4564	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 4564	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 2868	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 2868	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 2868	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 2868	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 2868	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 2868	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 2868	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 2868	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 2868	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 3140	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 3140	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 3140	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 3140	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 3140	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 3140	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 3140	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 3140	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 3140	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 3032	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 3032	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 3032	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 3032	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 3032	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 3032	5012	OneDrive.exe	svchost.exe
PID 5012 wrote to memory of 3032	5012	OneDrive.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\SkyBlade\StartGame.exe
"C:\Users\Admin\AppData\Local\Temp\SkyBlade\StartGame.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260

C:\Users\Admin\AppData\Roaming\esss.exe
"C:\Users\Admin\AppData\Roaming\esss.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3600

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0xC7F5b3388dEE5a1c10D5Da25E9521C7E02827c26.ez1
6⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0xC7F5b3388dEE5a1c10D5Da25E9521C7E02827c26.ez1
6⤵
PID:4564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0xC7F5b3388dEE5a1c10D5Da25E9521C7E02827c26.ez1
6⤵
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0xC7F5b3388dEE5a1c10D5Da25E9521C7E02827c26.ez1
6⤵
PID:3140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0xC7F5b3388dEE5a1c10D5Da25E9521C7E02827c26.ez1
6⤵
PID:3032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0xC7F5b3388dEE5a1c10D5Da25E9521C7E02827c26.ez1
6⤵
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0xC7F5b3388dEE5a1c10D5Da25E9521C7E02827c26.ez1
6⤵
PID:3000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0xC7F5b3388dEE5a1c10D5Da25E9521C7E02827c26.ez1
6⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0xC7F5b3388dEE5a1c10D5Da25E9521C7E02827c26.ez1
6⤵
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0xC7F5b3388dEE5a1c10D5Da25E9521C7E02827c26.ez1
6⤵
PID:5100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0xC7F5b3388dEE5a1c10D5Da25E9521C7E02827c26.ez1
6⤵
PID:4660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0xC7F5b3388dEE5a1c10D5Da25E9521C7E02827c26.ez1
6⤵
PID:4816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0xC7F5b3388dEE5a1c10D5Da25E9521C7E02827c26.ez1
6⤵
PID:5056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0xC7F5b3388dEE5a1c10D5Da25E9521C7E02827c26.ez1
6⤵
PID:1944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0xC7F5b3388dEE5a1c10D5Da25E9521C7E02827c26.ez1
6⤵
PID:4764

C:\Windows\SysWOW64\REG.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /f /d C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
5⤵
- Adds Run key to start application
- Modifies registry key
PID:2796

C:\Windows\SysWOW64\REG.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v OneDrive /t REG_BINARY /f /d 020000000000000000000000
5⤵
- Modifies registry key
PID:1164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\0XgIQSqMOKwv83_s
Filesize
218B

MD5
119d11c48b1c9a897da12157eeb8a33c

SHA1
a4e3315168b0fe0c03f2ce46599512e8cade8cda

SHA256
f8b4ab386d91076523b49ed0201186383187030d1c8cc0f6f163d0d797a7124e

SHA512
12d43f27fcf0eaa732e52ad722403d1a6d450bfadca4cb4df840c7c1a9d8b67eb014415b58e4fcc421dfd2394e286a0b36d48a5acfb2ba8b6456d5dfb6010950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Filesize
175KB

MD5
f3af73070387fb75b19286826cc3126c

SHA1
7774854137d7ada89f3b4bdf67631456a1e74853

SHA256
974243f2487ceeb8eeea6aa8fee215f15c7b204382d4bd12f469f712f56c3610

SHA512
a620583b2d89e3f0350ae4d5dfe2b2c160d2f982b29dea6b8e273bb39ab2d1d91a2452238e9c30cdd7151aa555e231e1ac9930f9d76f6ff80504eacb25fa557a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Secur32.dll
Filesize
316KB

MD5
fed6517a5f84eecc29edee5586d7feeb

SHA1
56df244bf73c7ec7b59c98e1f5d47b379b58a06b

SHA256
5075a0587b1b35c0152d8c44468641d0ab1c52fd8f1814ee257eceb9ffcb89b6

SHA512
45cab4395d509b5d7dfb904e84d5a679440412f494c4970191b5882572f4d1b9c9cd28d41a49619353c405c2477153b4a7a1568fcf307709df0b81b38c405642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Secur32.dll
Filesize
316KB

MD5
fed6517a5f84eecc29edee5586d7feeb

SHA1
56df244bf73c7ec7b59c98e1f5d47b379b58a06b

SHA256
5075a0587b1b35c0152d8c44468641d0ab1c52fd8f1814ee257eceb9ffcb89b6

SHA512
45cab4395d509b5d7dfb904e84d5a679440412f494c4970191b5882572f4d1b9c9cd28d41a49619353c405c2477153b4a7a1568fcf307709df0b81b38c405642

Download Submit
C:\Users\Admin\AppData\Roaming\esss.exe
Filesize
8.0MB

MD5
99c2d57233f41cb45777a2f33e0960b8

SHA1
844a49a3859a5bef060a8e1182b3fee59934af27

SHA256
454ec9fcacc3d0a2b8a4e3854dc309a64ab75dfced472f0d41b33763b7eb72b8

SHA512
cc2e91120b41ef2047418175601422da48d5c5fc9cf69ce54792d109bd867bc152bbae998b9db0370d76f8b1a6c548e714031f60390d0b0419c7feb668e22aa5

Download Submit
memory/1144-172-0x0000000140000000-0x0000000142B59000-memory.dmp

Filesize
43.3MB

Download
memory/1144-170-0x0000000140000000-0x0000000142B59000-memory.dmp

Filesize
43.3MB

Download
memory/1144-171-0x0000000142B56500-mapping.dmp

Download
memory/1164-166-0x0000000000000000-mapping.dmp

Download
memory/1808-185-0x0000000142B56500-mapping.dmp

Download
memory/1944-209-0x0000000142B56500-mapping.dmp

Download
memory/2260-146-0x0000000005780000-0x000000000579E000-memory.dmp

Filesize
120KB

Download
memory/2260-144-0x0000000004F80000-0x0000000005012000-memory.dmp

Filesize
584KB

Download
memory/2260-147-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/2260-148-0x0000000007300000-0x00000000074C2000-memory.dmp

Filesize
1.8MB

Download
memory/2260-149-0x0000000007A00000-0x0000000007F2C000-memory.dmp

Filesize
5.2MB

Download
memory/2260-139-0x0000000005020000-0x0000000005638000-memory.dmp

Filesize
6.1MB

Download
memory/2260-145-0x0000000005BF0000-0x0000000006194000-memory.dmp

Filesize
5.6MB

Download
memory/2260-140-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/2260-141-0x0000000004BF0000-0x0000000004CFA000-memory.dmp

Filesize
1.0MB

Download
memory/2260-142-0x0000000004B20000-0x0000000004B5C000-memory.dmp

Filesize
240KB

Download
memory/2260-143-0x0000000004E60000-0x0000000004ED6000-memory.dmp

Filesize
472KB

Download
memory/2260-134-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/2260-133-0x0000000000000000-mapping.dmp

Download
memory/2380-150-0x0000000000000000-mapping.dmp

Download
memory/2380-154-0x0000000000FE0000-0x00000000017D7000-memory.dmp

Filesize
8.0MB

Download
memory/2380-153-0x0000000000FE0000-0x00000000017D7000-memory.dmp

Filesize
8.0MB

Download
memory/2380-152-0x0000000000FE0000-0x00000000017D7000-memory.dmp

Filesize
8.0MB

Download
memory/2572-191-0x0000000142B56500-mapping.dmp

Download
memory/2796-165-0x0000000000000000-mapping.dmp

Download
memory/2868-177-0x0000000142B56500-mapping.dmp

Download
memory/3000-188-0x0000000142B56500-mapping.dmp

Download
memory/3032-182-0x0000000142B56500-mapping.dmp

Download
memory/3140-180-0x0000000142B56500-mapping.dmp

Download
memory/3252-194-0x0000000142B56500-mapping.dmp

Download
memory/3600-155-0x0000000000000000-mapping.dmp

Download
memory/3600-156-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3600-162-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3948-132-0x0000000000570000-0x00000000008B3000-memory.dmp

Filesize
3.3MB

Download
memory/3948-130-0x0000000000570000-0x00000000008B3000-memory.dmp

Filesize
3.3MB

Download
memory/3948-131-0x0000000000570000-0x00000000008B3000-memory.dmp

Filesize
3.3MB

Download
memory/4564-174-0x0000000142B56500-mapping.dmp

Download
memory/4660-200-0x0000000142B56500-mapping.dmp

Download
memory/4764-212-0x0000000142B56500-mapping.dmp

Download
memory/4816-203-0x0000000142B56500-mapping.dmp

Download
memory/5012-163-0x0000000000000000-mapping.dmp

Download
memory/5056-206-0x0000000142B56500-mapping.dmp

Download
memory/5100-197-0x0000000142B56500-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads