mystic | 28c6afd9dbe7547caddddc77f393e8c2925c1bb7ee72f531b8daa7622351d6d9

General

Target

274602f22d15c9edfaa9170361b6fae8593699ed5d37efd259e2363a66bd666b.exe
Size

1.0MB
MD5

44fadc7ff5089a660f20e84491564413
SHA1

bc55f02398f9d4754267dd6ec32f8ce32b81a0f5
SHA256

274602f22d15c9edfaa9170361b6fae8593699ed5d37efd259e2363a66bd666b
SHA512

5cf14c885e6e685f4984057d19013ef4edb9550da1c6848654b81d0332d53365b512bfe9f63b0318f203d4cbf8d24ef315da6c88b285311dafa604bee84646ba
SSDEEP

12288:WMrmy90n/LFPEu33VEA1x/KkzNP73Yxbp4YM2ixo53HtT6Aro9UIUQZf0ZHp/7nC:EyyRVEAXKk13YohxQdeAro2INl0j7C

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sN0158.exe	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4LH425kQ.exe	family_redline
behavioral1/memory/1208-48-0x0000000000940000-0x000000000097E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 8 IoCs

Processes:

oA4AN91.exerc3uT08.exenF0Jx43.exeCf6dU97.exe1yx54Hw1.exe2sN0158.exe3WJ47pc.exe4LH425kQ.exe

pid process

1428 oA4AN91.exe
896 rc3uT08.exe
216 nF0Jx43.exe
1096 Cf6dU97.exe
3460 1yx54Hw1.exe
4436 2sN0158.exe
1572 3WJ47pc.exe
1208 4LH425kQ.exe

pid	process
1428	oA4AN91.exe
896	rc3uT08.exe
216	nF0Jx43.exe
1096	Cf6dU97.exe
3460	1yx54Hw1.exe
4436	2sN0158.exe
1572	3WJ47pc.exe
1208	4LH425kQ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

oA4AN91.exerc3uT08.exenF0Jx43.exeCf6dU97.exe274602f22d15c9edfaa9170361b6fae8593699ed5d37efd259e2363a66bd666b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	oA4AN91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	rc3uT08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	nF0Jx43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Cf6dU97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	274602f22d15c9edfaa9170361b6fae8593699ed5d37efd259e2363a66bd666b.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1yx54Hw1.exe3WJ47pc.exe

description	pid	process	target process
PID 3460 set thread context of 2116	3460	1yx54Hw1.exe	AppLaunch.exe
PID 1572 set thread context of 2852	1572	3WJ47pc.exe	AppLaunch.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3676 sc.exe

pid	process
3676	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exeAppLaunch.exe

pid	process
2852	AppLaunch.exe
2852	AppLaunch.exe
2116	AppLaunch.exe
2116	AppLaunch.exe
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

AppLaunch.exe

pid process

2852 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2116 AppLaunch.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3432

description	pid	process
Token: SeDebugPrivilege	2116	AppLaunch.exe

pid	process
3432

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

274602f22d15c9edfaa9170361b6fae8593699ed5d37efd259e2363a66bd666b.exeoA4AN91.exerc3uT08.exenF0Jx43.exeCf6dU97.exe1yx54Hw1.exe3WJ47pc.exe

description	pid	process	target process
PID 2020 wrote to memory of 1428	2020	274602f22d15c9edfaa9170361b6fae8593699ed5d37efd259e2363a66bd666b.exe	oA4AN91.exe
PID 2020 wrote to memory of 1428	2020	274602f22d15c9edfaa9170361b6fae8593699ed5d37efd259e2363a66bd666b.exe	oA4AN91.exe
PID 2020 wrote to memory of 1428	2020	274602f22d15c9edfaa9170361b6fae8593699ed5d37efd259e2363a66bd666b.exe	oA4AN91.exe
PID 1428 wrote to memory of 896	1428	oA4AN91.exe	rc3uT08.exe
PID 1428 wrote to memory of 896	1428	oA4AN91.exe	rc3uT08.exe
PID 1428 wrote to memory of 896	1428	oA4AN91.exe	rc3uT08.exe
PID 896 wrote to memory of 216	896	rc3uT08.exe	nF0Jx43.exe
PID 896 wrote to memory of 216	896	rc3uT08.exe	nF0Jx43.exe
PID 896 wrote to memory of 216	896	rc3uT08.exe	nF0Jx43.exe
PID 216 wrote to memory of 1096	216	nF0Jx43.exe	Cf6dU97.exe
PID 216 wrote to memory of 1096	216	nF0Jx43.exe	Cf6dU97.exe
PID 216 wrote to memory of 1096	216	nF0Jx43.exe	Cf6dU97.exe
PID 1096 wrote to memory of 3460	1096	Cf6dU97.exe	1yx54Hw1.exe
PID 1096 wrote to memory of 3460	1096	Cf6dU97.exe	1yx54Hw1.exe
PID 1096 wrote to memory of 3460	1096	Cf6dU97.exe	1yx54Hw1.exe
PID 3460 wrote to memory of 2116	3460	1yx54Hw1.exe	AppLaunch.exe
PID 3460 wrote to memory of 2116	3460	1yx54Hw1.exe	AppLaunch.exe
PID 3460 wrote to memory of 2116	3460	1yx54Hw1.exe	AppLaunch.exe
PID 3460 wrote to memory of 2116	3460	1yx54Hw1.exe	AppLaunch.exe
PID 3460 wrote to memory of 2116	3460	1yx54Hw1.exe	AppLaunch.exe
PID 3460 wrote to memory of 2116	3460	1yx54Hw1.exe	AppLaunch.exe
PID 3460 wrote to memory of 2116	3460	1yx54Hw1.exe	AppLaunch.exe
PID 3460 wrote to memory of 2116	3460	1yx54Hw1.exe	AppLaunch.exe
PID 1096 wrote to memory of 4436	1096	Cf6dU97.exe	2sN0158.exe
PID 1096 wrote to memory of 4436	1096	Cf6dU97.exe	2sN0158.exe
PID 1096 wrote to memory of 4436	1096	Cf6dU97.exe	2sN0158.exe
PID 216 wrote to memory of 1572	216	nF0Jx43.exe	3WJ47pc.exe
PID 216 wrote to memory of 1572	216	nF0Jx43.exe	3WJ47pc.exe
PID 216 wrote to memory of 1572	216	nF0Jx43.exe	3WJ47pc.exe
PID 1572 wrote to memory of 2852	1572	3WJ47pc.exe	AppLaunch.exe
PID 1572 wrote to memory of 2852	1572	3WJ47pc.exe	AppLaunch.exe
PID 1572 wrote to memory of 2852	1572	3WJ47pc.exe	AppLaunch.exe
PID 1572 wrote to memory of 2852	1572	3WJ47pc.exe	AppLaunch.exe
PID 1572 wrote to memory of 2852	1572	3WJ47pc.exe	AppLaunch.exe
PID 1572 wrote to memory of 2852	1572	3WJ47pc.exe	AppLaunch.exe
PID 896 wrote to memory of 1208	896	rc3uT08.exe	4LH425kQ.exe
PID 896 wrote to memory of 1208	896	rc3uT08.exe	4LH425kQ.exe
PID 896 wrote to memory of 1208	896	rc3uT08.exe	4LH425kQ.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\274602f22d15c9edfaa9170361b6fae8593699ed5d37efd259e2363a66bd666b.exe
"C:\Users\Admin\AppData\Local\Temp\274602f22d15c9edfaa9170361b6fae8593699ed5d37efd259e2363a66bd666b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oA4AN91.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oA4AN91.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rc3uT08.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rc3uT08.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:896

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nF0Jx43.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nF0Jx43.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:216

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cf6dU97.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cf6dU97.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1yx54Hw1.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1yx54Hw1.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sN0158.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sN0158.exe
6⤵
- Executes dropped EXE
PID:4436

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3WJ47pc.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3WJ47pc.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2852

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4LH425kQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4LH425kQ.exe
4⤵
- Executes dropped EXE
PID:1208

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:3676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

Disable or Modify Tools

1

T1562.001

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oA4AN91.exe
Filesize
894KB

MD5
236b711f28ac5ccf0b9734d135d8ddf9

SHA1
236b45f282987552aca93d7be8ef0b8c76a9cebf

SHA256
8ce676719f45ea1b9876a0335ed6c3788689048fe0506c37665caf3370d9d428

SHA512
799bef5467d99bc1dd770fa222a8e01dfc1046e184f4de7b79fc436db9dc6c6b9b86023ed8a90ce03ba26db29f2db54fc856f755f0e3bfaf7ece7c85e4ad3989

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rc3uT08.exe
Filesize
711KB

MD5
da9bc7ef03719a2f15976306d1731b07

SHA1
d210da3cb0c12aceeb1703cc5a327adb0c075272

SHA256
26de2b3ef64a7a8b2a44f88f7e6c9e733bee1dc3ed9dcdef502d6c854bedaf75

SHA512
dac5f7e68dbe96c8de860af3b37f2def504b0f98bdf6fb1a30e51f4853c2e719958a228234ffaf36362f876fbdaf39e051c806a67ba903035af517d408029c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4LH425kQ.exe
Filesize
221KB

MD5
8905918bd7e4f4aeda3a804d81f9ee40

SHA1
3c488a81539116085a1c22df26085f798f7202c8

SHA256
0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde

SHA512
6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nF0Jx43.exe
Filesize
537KB

MD5
d730cd47eac7177ed96029f9b80de900

SHA1
dc2e197a8626688e3154aa10631982da298edf04

SHA256
4543f2fa5c657b2e7c31445e2134a0cb156fe95dfcee50125725aca92d28621e

SHA512
bbed9d49a0eb3a1cea9d1a04168910d68880cdbb6ffc396e76cb95882c5ae6cdf3008c100cd5b8aa74ec0a6a86f927bc922586d97851c7c1afb86d07fc44fcba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3WJ47pc.exe
Filesize
252KB

MD5
9a03accf2f85700608abebfce8321185

SHA1
b48409bd1d7b20946c48c3519b8e0af5eebe5f34

SHA256
79c7843f253d08168ce416a76429e28bb019a3a12cdc5f4ec2c40e93a25d3d2f

SHA512
f726053aa77e8fa70254c12da901a38722bd3b0b96cfc9808a169a418d247b34ec972c43cc8b4b2cfb15d18a8a80ddcadca8063a51d446a204b583c9b805aeb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cf6dU97.exe
Filesize
300KB

MD5
bb319559736d8f6559cc8c349869d6f5

SHA1
6cab8ea79da3227090f8099abf8f429f224c5adb

SHA256
c9956d5d6329fbcceb652201a28efd45b916fef970124ea183abd40b1dc41627

SHA512
43b25ca086ca1e2512baaffa7b5e9dc969e644285b3469208246817c4dbce0ce43cda39fa70f75544625957a689fdabe17fdb3c91115d94886d23aba2a6a9487

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1yx54Hw1.exe
Filesize
154KB

MD5
098478afedb77e3ad162dcb60ba1079e

SHA1
aae5fd48aaf7d271c23130197dcfdd8791307d6f

SHA256
9ec13c3b726ec3ca9cf66364b6db9f252c3eaaf124b53d032564aec8e9ee8541

SHA512
145ab134ea391792a91c746b865ac48f2cafc8cec71664b6ca7b8cfc28fe508a953a095bb26f6a69d2066b8489ce02c7b0e82eae6ae5adc0e6b03435de86b14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sN0158.exe
Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
memory/1208-50-0x0000000007CF0000-0x0000000008294000-memory.dmp

Filesize
5.6MB

Download
memory/1208-53-0x00000000053A0000-0x00000000053AA000-memory.dmp

Filesize
40KB

Download
memory/1208-69-0x00000000078E0000-0x00000000078F0000-memory.dmp

Filesize
64KB

Download
memory/1208-68-0x0000000074200000-0x00000000749B0000-memory.dmp

Filesize
7.7MB

Download
memory/1208-48-0x0000000000940000-0x000000000097E000-memory.dmp

Filesize
248KB

Download
memory/1208-49-0x0000000074200000-0x00000000749B0000-memory.dmp

Filesize
7.7MB

Download
memory/1208-58-0x0000000007B80000-0x0000000007BCC000-memory.dmp

Filesize
304KB

Download
memory/1208-51-0x0000000007740000-0x00000000077D2000-memory.dmp

Filesize
584KB

Download
memory/1208-52-0x00000000078E0000-0x00000000078F0000-memory.dmp

Filesize
64KB

Download
memory/1208-57-0x0000000007A00000-0x0000000007A3C000-memory.dmp

Filesize
240KB

Download
memory/1208-54-0x00000000088C0000-0x0000000008ED8000-memory.dmp

Filesize
6.1MB

Download
memory/1208-55-0x0000000007A70000-0x0000000007B7A000-memory.dmp

Filesize
1.0MB

Download
memory/1208-56-0x00000000079A0000-0x00000000079B2000-memory.dmp

Filesize
72KB

Download
memory/2116-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2116-64-0x0000000074200000-0x00000000749B0000-memory.dmp

Filesize
7.7MB

Download
memory/2116-42-0x0000000074200000-0x00000000749B0000-memory.dmp

Filesize
7.7MB

Download
memory/2852-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2852-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2852-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3432-59-0x00000000022F0000-0x0000000002306000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads