redline | 94e55f1981d309c200304267e75948dde7cae6a852e2539650016c28d7575900

General

Target

06b37780cb3afdf3fa0f8a238114bd7f.exe
Size

1.2MB
MD5

06b37780cb3afdf3fa0f8a238114bd7f
SHA1

b843dc0253ca495cdd042314fe9031c9cd645350
SHA256

94e55f1981d309c200304267e75948dde7cae6a852e2539650016c28d7575900
SHA512

0d3a82b2073856baf9600e1afd7c209de5b25b04f0aa4b07e8ad0675673c409530c5b02d98506d31f6dbb959825932257ab44624d199efac5d7fea6dccf36774
SSDEEP

24576:PR964zGEH9mhMh40EL6pxchdGrg17gDrX/axcT5x/Vx9:J446/ajVB3aU/P9

Score

10^/10

redline smokeloader 2 backdoor infostealer spyware trojan

Malware Config

Extracted

Family

redline

Botnet

2

C2

185.106.93.214:45623

Attributes

auth_value
c270d8603c9a3fa0f5e04bf34055f108

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1556-132-0x0000000002300000-0x0000000002309000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1260-139-0x0000000000400000-0x0000000000460000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 4 IoCs

Processes:

2923.exe2D2B.exe3F4D.exesvcupdater.exe

pid process

2316 2923.exe
2708 2D2B.exe
2944 3F4D.exe
1700 svcupdater.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

AppLaunch.exe

pid process

4684 AppLaunch.exe
4684 AppLaunch.exe
4684 AppLaunch.exe

pid	process
2316	2923.exe
2708	2D2B.exe
2944	3F4D.exe
1700	svcupdater.exe

pid	process
4684	AppLaunch.exe
4684	AppLaunch.exe
4684	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2923.exe2D2B.exe

description	pid	process	target process
PID 2316 set thread context of 1260	2316	2923.exe	AppLaunch.exe
PID 2708 set thread context of 4684	2708	2D2B.exe	AppLaunch.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2176 2316 WerFault.exe 2923.exe
816 2708 WerFault.exe 2D2B.exe

pid	pid_target	process	target process
2176	2316	WerFault.exe	2923.exe
816	2708	WerFault.exe	2D2B.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe06b37780cb3afdf3fa0f8a238114bd7f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	06b37780cb3afdf3fa0f8a238114bd7f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	06b37780cb3afdf3fa0f8a238114bd7f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	06b37780cb3afdf3fa0f8a238114bd7f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4944 schtasks.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 36 Go-http-client/1.1

pid	process
4944	schtasks.exe

description	flow	ioc
HTTP User-Agent header	36	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

06b37780cb3afdf3fa0f8a238114bd7f.exe

pid	process
1556	06b37780cb3afdf3fa0f8a238114bd7f.exe
1556	06b37780cb3afdf3fa0f8a238114bd7f.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3032
Suspicious behavior: MapViewOfSection 23 IoCs

Processes:

06b37780cb3afdf3fa0f8a238114bd7f.exe

pid process

1556 06b37780cb3afdf3fa0f8a238114bd7f.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

pid	process
3032

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

AppLaunch.exeAppLaunch.exe

description	pid	process
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	4684	AppLaunch.exe
Token: SeCreatePagefilePrivilege	4684	AppLaunch.exe
Token: SeDebugPrivilege	1260	AppLaunch.exe
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

2923.exe2D2B.exe3F4D.execmd.exe

description	pid	process	target process
PID 3032 wrote to memory of 2316	3032		2923.exe
PID 3032 wrote to memory of 2316	3032		2923.exe
PID 3032 wrote to memory of 2316	3032		2923.exe
PID 2316 wrote to memory of 1260	2316	2923.exe	AppLaunch.exe
PID 2316 wrote to memory of 1260	2316	2923.exe	AppLaunch.exe
PID 2316 wrote to memory of 1260	2316	2923.exe	AppLaunch.exe
PID 2316 wrote to memory of 1260	2316	2923.exe	AppLaunch.exe
PID 2316 wrote to memory of 1260	2316	2923.exe	AppLaunch.exe
PID 3032 wrote to memory of 2708	3032		2D2B.exe
PID 3032 wrote to memory of 2708	3032		2D2B.exe
PID 3032 wrote to memory of 2708	3032		2D2B.exe
PID 2708 wrote to memory of 4684	2708	2D2B.exe	AppLaunch.exe
PID 2708 wrote to memory of 4684	2708	2D2B.exe	AppLaunch.exe
PID 2708 wrote to memory of 4684	2708	2D2B.exe	AppLaunch.exe
PID 2708 wrote to memory of 4684	2708	2D2B.exe	AppLaunch.exe
PID 2708 wrote to memory of 4684	2708	2D2B.exe	AppLaunch.exe
PID 3032 wrote to memory of 2944	3032		3F4D.exe
PID 3032 wrote to memory of 2944	3032		3F4D.exe
PID 3032 wrote to memory of 1504	3032		explorer.exe
PID 3032 wrote to memory of 1504	3032		explorer.exe
PID 3032 wrote to memory of 1504	3032		explorer.exe
PID 3032 wrote to memory of 1504	3032		explorer.exe
PID 2944 wrote to memory of 1384	2944	3F4D.exe	cmd.exe
PID 2944 wrote to memory of 1384	2944	3F4D.exe	cmd.exe
PID 1384 wrote to memory of 4944	1384	cmd.exe	schtasks.exe
PID 1384 wrote to memory of 4944	1384	cmd.exe	schtasks.exe
PID 3032 wrote to memory of 5012	3032		explorer.exe
PID 3032 wrote to memory of 5012	3032		explorer.exe
PID 3032 wrote to memory of 5012	3032		explorer.exe
PID 3032 wrote to memory of 5012	3032		explorer.exe
PID 3032 wrote to memory of 1768	3032		explorer.exe
PID 3032 wrote to memory of 1768	3032		explorer.exe
PID 3032 wrote to memory of 1768	3032		explorer.exe
PID 3032 wrote to memory of 4948	3032		explorer.exe
PID 3032 wrote to memory of 4948	3032		explorer.exe
PID 3032 wrote to memory of 4948	3032		explorer.exe
PID 3032 wrote to memory of 4948	3032		explorer.exe
PID 3032 wrote to memory of 1752	3032		explorer.exe
PID 3032 wrote to memory of 1752	3032		explorer.exe
PID 3032 wrote to memory of 1752	3032		explorer.exe
PID 3032 wrote to memory of 1020	3032		explorer.exe
PID 3032 wrote to memory of 1020	3032		explorer.exe
PID 3032 wrote to memory of 1020	3032		explorer.exe
PID 3032 wrote to memory of 1020	3032		explorer.exe
PID 3032 wrote to memory of 1796	3032		explorer.exe
PID 3032 wrote to memory of 1796	3032		explorer.exe
PID 3032 wrote to memory of 1796	3032		explorer.exe
PID 3032 wrote to memory of 2612	3032		explorer.exe
PID 3032 wrote to memory of 2612	3032		explorer.exe
PID 3032 wrote to memory of 2612	3032		explorer.exe
PID 3032 wrote to memory of 2612	3032		explorer.exe
PID 3032 wrote to memory of 3824	3032		explorer.exe
PID 3032 wrote to memory of 3824	3032		explorer.exe
PID 3032 wrote to memory of 3824	3032		explorer.exe
PID 3032 wrote to memory of 3824	3032		explorer.exe
PID 3032 wrote to memory of 3236	3032		explorer.exe
PID 3032 wrote to memory of 3236	3032		explorer.exe
PID 3032 wrote to memory of 3236	3032		explorer.exe
PID 3032 wrote to memory of 4328	3032		explorer.exe
PID 3032 wrote to memory of 4328	3032		explorer.exe
PID 3032 wrote to memory of 4328	3032		explorer.exe
PID 3032 wrote to memory of 4328	3032		explorer.exe

C:\Users\Admin\AppData\Local\Temp\06b37780cb3afdf3fa0f8a238114bd7f.exe
"C:\Users\Admin\AppData\Local\Temp\06b37780cb3afdf3fa0f8a238114bd7f.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1556

C:\Users\Admin\AppData\Local\Temp\2923.exe
C:\Users\Admin\AppData\Local\Temp\2923.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 292
2⤵
- Program crash
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 120 -p 2316 -ip 2316
1⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\2D2B.exe
C:\Users\Admin\AppData\Local\Temp\2D2B.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 284
2⤵
- Program crash
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2708 -ip 2708
1⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\3F4D.exe
C:\Users\Admin\AppData\Local\Temp\3F4D.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\system32\cmd.exe
cmd.exe /C schtasks /create /tn UEstrPhfRW /tr C:\Users\Admin\AppData\Roaming\UEstrPhfRW\svcupdater.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\system32\schtasks.exe
schtasks /create /tn UEstrPhfRW /tr C:\Users\Admin\AppData\Roaming\UEstrPhfRW\svcupdater.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
3⤵
- Creates scheduled task(s)
PID:4944

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1504

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5012

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1768

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4948

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1752

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1020

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1796

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2612

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3824

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3236

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4328

C:\Users\Admin\AppData\Roaming\UEstrPhfRW\svcupdater.exe
C:\Users\Admin\AppData\Roaming\UEstrPhfRW\svcupdater.exe
1⤵
- Executes dropped EXE
PID:1700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2923.exe
Filesize
1.3MB

MD5
6ffcc2848e7da926954cdda9415cc750

SHA1
c218117b84e16d79d9f22e76d9844703f3629a05

SHA256
f003541518f9abc9799499b504b0609ea9a9a149674cd6d1fde5cdd18b29a25a

SHA512
c0b04f49f0008de05b25e38c28695b93482148e4e76fde02f58fc1e5b8178f3e5c9b4ffdf183003a26afe71fda50153612f16bc55150c079735c85856c71f169

Download Submit
C:\Users\Admin\AppData\Local\Temp\2923.exe
Filesize
1.3MB

MD5
6ffcc2848e7da926954cdda9415cc750

SHA1
c218117b84e16d79d9f22e76d9844703f3629a05

SHA256
f003541518f9abc9799499b504b0609ea9a9a149674cd6d1fde5cdd18b29a25a

SHA512
c0b04f49f0008de05b25e38c28695b93482148e4e76fde02f58fc1e5b8178f3e5c9b4ffdf183003a26afe71fda50153612f16bc55150c079735c85856c71f169

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D2B.exe
Filesize
1.1MB

MD5
5cf1156e38e889646bf40f3e790b76e2

SHA1
3b12d8f1abb4882a603de7ce784c8628f09b4beb

SHA256
c788590703cfa78836357a549728794b3df2764b88ab2d3ee6b566809aed4a54

SHA512
12191876a5686d67b06d0f9ecef8d2193cde5bdfd85ba7f97eee16c2c4c18d98e85a328e61a579a28c99611e83eb3ba5ed6404ab1833d3c8cc023e5c322f45cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D2B.exe
Filesize
1.1MB

MD5
5cf1156e38e889646bf40f3e790b76e2

SHA1
3b12d8f1abb4882a603de7ce784c8628f09b4beb

SHA256
c788590703cfa78836357a549728794b3df2764b88ab2d3ee6b566809aed4a54

SHA512
12191876a5686d67b06d0f9ecef8d2193cde5bdfd85ba7f97eee16c2c4c18d98e85a328e61a579a28c99611e83eb3ba5ed6404ab1833d3c8cc023e5c322f45cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F4D.exe
Filesize
4.7MB

MD5
71b4b9ba8cfdfba4cc276ef81436959b

SHA1
856b4d255a1384afb285457d6cc3a070a8a64368

SHA256
0879a6256e7036871aba1f4a2ce3615e44b0c3246e8d5aa306a9539648202980

SHA512
8fdc3339d7b2e3332c16f458dd2d9ff58279c67b94d291f5b9894517f557d624efec08ee79dbfd46f9686b5e363258a1a9c2199824afc4934768c7777981efaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F4D.exe
Filesize
4.7MB

MD5
71b4b9ba8cfdfba4cc276ef81436959b

SHA1
856b4d255a1384afb285457d6cc3a070a8a64368

SHA256
0879a6256e7036871aba1f4a2ce3615e44b0c3246e8d5aa306a9539648202980

SHA512
8fdc3339d7b2e3332c16f458dd2d9ff58279c67b94d291f5b9894517f557d624efec08ee79dbfd46f9686b5e363258a1a9c2199824afc4934768c7777981efaa

Download Submit
C:\Users\Admin\AppData\Roaming\UEstrPhfRW\svcupdater.exe
Filesize
4.7MB

MD5
71b4b9ba8cfdfba4cc276ef81436959b

SHA1
856b4d255a1384afb285457d6cc3a070a8a64368

SHA256
0879a6256e7036871aba1f4a2ce3615e44b0c3246e8d5aa306a9539648202980

SHA512
8fdc3339d7b2e3332c16f458dd2d9ff58279c67b94d291f5b9894517f557d624efec08ee79dbfd46f9686b5e363258a1a9c2199824afc4934768c7777981efaa

Download Submit
C:\Users\Admin\AppData\Roaming\UEstrPhfRW\svcupdater.exe
Filesize
4.7MB

MD5
71b4b9ba8cfdfba4cc276ef81436959b

SHA1
856b4d255a1384afb285457d6cc3a070a8a64368

SHA256
0879a6256e7036871aba1f4a2ce3615e44b0c3246e8d5aa306a9539648202980

SHA512
8fdc3339d7b2e3332c16f458dd2d9ff58279c67b94d291f5b9894517f557d624efec08ee79dbfd46f9686b5e363258a1a9c2199824afc4934768c7777981efaa

Download Submit
memory/1020-182-0x0000000000000000-mapping.dmp

Download
memory/1020-183-0x0000000001300000-0x0000000001304000-memory.dmp

Filesize
16KB

Download
memory/1020-184-0x00000000012F0000-0x00000000012F9000-memory.dmp

Filesize
36KB

Download
memory/1020-211-0x0000000001300000-0x0000000001304000-memory.dmp

Filesize
16KB

Download
memory/1260-139-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1260-198-0x0000000006D70000-0x0000000006F32000-memory.dmp

Filesize
1.8MB

Download
memory/1260-155-0x0000000005F90000-0x00000000065A8000-memory.dmp

Filesize
6.1MB

Download
memory/1260-156-0x0000000005A80000-0x0000000005B8A000-memory.dmp

Filesize
1.0MB

Download
memory/1260-157-0x00000000059B0000-0x00000000059C2000-memory.dmp

Filesize
72KB

Download
memory/1260-200-0x0000000009120000-0x000000000964C000-memory.dmp

Filesize
5.2MB

Download
memory/1260-159-0x0000000005A10000-0x0000000005A4C000-memory.dmp

Filesize
240KB

Download
memory/1260-187-0x0000000005D70000-0x0000000005E02000-memory.dmp

Filesize
584KB

Download
memory/1260-204-0x0000000006CF0000-0x0000000006D40000-memory.dmp

Filesize
320KB

Download
memory/1260-138-0x0000000000000000-mapping.dmp

Download
memory/1260-203-0x0000000006C70000-0x0000000006CE6000-memory.dmp

Filesize
472KB

Download
memory/1260-185-0x0000000006F50000-0x00000000074F4000-memory.dmp

Filesize
5.6MB

Download
memory/1260-188-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/1384-164-0x0000000000000000-mapping.dmp

Download
memory/1504-166-0x0000000000E90000-0x0000000000E9B000-memory.dmp

Filesize
44KB

Download
memory/1504-163-0x0000000000000000-mapping.dmp

Download
memory/1556-132-0x0000000002300000-0x0000000002309000-memory.dmp

Filesize
36KB

Download
memory/1556-134-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1556-133-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1752-180-0x0000000000730000-0x0000000000736000-memory.dmp

Filesize
24KB

Download
memory/1752-179-0x0000000000000000-mapping.dmp

Download
memory/1752-181-0x0000000000720000-0x000000000072C000-memory.dmp

Filesize
48KB

Download
memory/1768-209-0x0000000000FC0000-0x0000000000FC9000-memory.dmp

Filesize
36KB

Download
memory/1768-172-0x0000000000FB0000-0x0000000000FBF000-memory.dmp

Filesize
60KB

Download
memory/1768-171-0x0000000000FC0000-0x0000000000FC9000-memory.dmp

Filesize
36KB

Download
memory/1768-170-0x0000000000000000-mapping.dmp

Download
memory/1796-212-0x0000000000B10000-0x0000000000B15000-memory.dmp

Filesize
20KB

Download
memory/1796-186-0x0000000000000000-mapping.dmp

Download
memory/1796-190-0x0000000000B00000-0x0000000000B09000-memory.dmp

Filesize
36KB

Download
memory/1796-189-0x0000000000B10000-0x0000000000B15000-memory.dmp

Filesize
20KB

Download
memory/2316-135-0x0000000000000000-mapping.dmp

Download
memory/2612-191-0x0000000000000000-mapping.dmp

Download
memory/2612-213-0x0000000000B40000-0x0000000000B62000-memory.dmp

Filesize
136KB

Download
memory/2612-193-0x0000000000B10000-0x0000000000B37000-memory.dmp

Filesize
156KB

Download
memory/2612-192-0x0000000000B40000-0x0000000000B62000-memory.dmp

Filesize
136KB

Download
memory/2708-144-0x0000000000000000-mapping.dmp

Download
memory/2944-160-0x0000000000000000-mapping.dmp

Download
memory/3236-215-0x0000000000D90000-0x0000000000D97000-memory.dmp

Filesize
28KB

Download
memory/3236-201-0x0000000000D90000-0x0000000000D97000-memory.dmp

Filesize
28KB

Download
memory/3236-202-0x0000000000D80000-0x0000000000D8D000-memory.dmp

Filesize
52KB

Download
memory/3236-199-0x0000000000000000-mapping.dmp

Download
memory/3824-214-0x0000000000EE0000-0x0000000000EE6000-memory.dmp

Filesize
24KB

Download
memory/3824-194-0x0000000000000000-mapping.dmp

Download
memory/3824-195-0x0000000000EE0000-0x0000000000EE6000-memory.dmp

Filesize
24KB

Download
memory/3824-196-0x0000000000ED0000-0x0000000000EDB000-memory.dmp

Filesize
44KB

Download
memory/4328-206-0x0000000000E00000-0x0000000000E08000-memory.dmp

Filesize
32KB

Download
memory/4328-205-0x0000000000000000-mapping.dmp

Download
memory/4328-207-0x0000000000BF0000-0x0000000000BFB000-memory.dmp

Filesize
44KB

Download
memory/4328-216-0x0000000000E00000-0x0000000000E08000-memory.dmp

Filesize
32KB

Download
memory/4684-147-0x0000000000000000-mapping.dmp

Download
memory/4684-158-0x0000000000DA3000-0x0000000000DA6000-memory.dmp

Filesize
12KB

Download
memory/4684-174-0x00000000009E0000-0x00000000009FD000-memory.dmp

Filesize
116KB

Download
memory/4684-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-173-0x0000000000DA4000-0x0000000000DA6000-memory.dmp

Filesize
8KB

Download
memory/4684-176-0x0000000002E20000-0x0000000003E20000-memory.dmp

Filesize
16.0MB

Download
memory/4684-197-0x00000000009E0000-0x00000000009FD000-memory.dmp

Filesize
116KB

Download
memory/4944-165-0x0000000000000000-mapping.dmp

Download
memory/4948-177-0x0000000000E80000-0x0000000000E85000-memory.dmp

Filesize
20KB

Download
memory/4948-178-0x0000000000E70000-0x0000000000E79000-memory.dmp

Filesize
36KB

Download
memory/4948-210-0x0000000000E80000-0x0000000000E85000-memory.dmp

Filesize
20KB

Download
memory/4948-175-0x0000000000000000-mapping.dmp

Download
memory/5012-169-0x0000000000C60000-0x0000000000C6B000-memory.dmp

Filesize
44KB

Download
memory/5012-168-0x0000000000C70000-0x0000000000C77000-memory.dmp

Filesize
28KB

Download
memory/5012-208-0x0000000000C70000-0x0000000000C77000-memory.dmp

Filesize
28KB

Download
memory/5012-167-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads