redline | 369b5e6e18c6f1b494147389106008ee284eb20e448d57dd8fd814b05884e7a8

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-21T15:51:57Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_23-dirty.qcow2\"}"

General

Target

slinkyloader.exe
Size

17.5MB
MD5

96ea9220bae88a463930e138631c1983
SHA1

61bf5000860e49f3c70983922110c575d03e6f19
SHA256

369b5e6e18c6f1b494147389106008ee284eb20e448d57dd8fd814b05884e7a8
SHA512

36eb783f0b0e0101ca4b911c483fbf9e1d11c7ee08e51edabb83e61db79fb5ba781199e29e780555c69edf1fa4fac364b49519ceb7031ac086243b0952a87087
SSDEEP

393216:b+c50Fa7K39n0LHOz3tcA/YFspJfUXvakYHQFSdbhALSVQtikwtW3Jigc:Hot3uLuz3tM6rfUXCkYgU/VQti/W35

Score

10^/10

redline sectoprat cheat infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

month-washer.gl.at.ply.gg:33498

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Server.exe	family_redline
behavioral1/memory/2268-17-0x00000000005B0000-0x00000000005CE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Server.exe	family_sectoprat
behavioral1/memory/2268-17-0x00000000005B0000-0x00000000005CE000-memory.dmp	family_sectoprat

Checks computer location settings 2 TTPs 45 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

slinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	slinkyloader.exe

Executes dropped EXE 45 IoCs

Processes:

Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exe

pid	process
2268	Server.exe
3076	Server.exe
4516	Server.exe
3904	Server.exe
4016	Server.exe
3056	Server.exe
1776	Server.exe
1720	Server.exe
3940	Server.exe
2452	Server.exe
3648	Server.exe
3860	Server.exe
5308	Server.exe
5548	Server.exe
5724	Server.exe
5920	Server.exe
4992	Server.exe
5296	Server.exe
5716	Server.exe
5208	Server.exe
5528	Server.exe
5988	Server.exe
5904	Server.exe
4608	Server.exe
6200	Server.exe
6632	Server.exe
6828	Server.exe
7044	Server.exe
6180	Server.exe
6424	Server.exe
6540	Server.exe
6784	Server.exe
6916	Server.exe
6296	Server.exe
1140	Server.exe
6440	Server.exe
6288	Server.exe
6764	Server.exe
2784	Server.exe
7040	Server.exe
6468	Server.exe
5440	Server.exe
848	Server.exe
6012	Server.exe
6476	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

Server.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exe

description	pid	process
Token: SeDebugPrivilege	2268	Server.exe
Token: SeDebugPrivilege	3076	Server.exe
Token: SeDebugPrivilege	4516	Server.exe
Token: SeDebugPrivilege	3904	Server.exe
Token: SeDebugPrivilege	4016	Server.exe
Token: SeDebugPrivilege	3056	Server.exe
Token: SeDebugPrivilege	1776	Server.exe
Token: SeDebugPrivilege	1720	Server.exe
Token: SeDebugPrivilege	3940	Server.exe
Token: SeDebugPrivilege	2452	Server.exe
Token: SeDebugPrivilege	3648	Server.exe
Token: SeDebugPrivilege	3860	Server.exe
Token: SeDebugPrivilege	5308	Server.exe
Token: SeDebugPrivilege	5548	Server.exe
Token: SeDebugPrivilege	5724	Server.exe
Token: SeDebugPrivilege	5920	Server.exe
Token: SeDebugPrivilege	4992	Server.exe
Token: SeDebugPrivilege	5296	Server.exe
Token: SeDebugPrivilege	5716	Server.exe
Token: SeDebugPrivilege	5208	Server.exe
Token: SeDebugPrivilege	5528	Server.exe
Token: SeDebugPrivilege	5988	Server.exe
Token: SeDebugPrivilege	5904	Server.exe
Token: SeDebugPrivilege	4608	Server.exe
Token: SeDebugPrivilege	6200	Server.exe
Token: SeDebugPrivilege	6632	Server.exe
Token: SeDebugPrivilege	6828	Server.exe
Token: SeDebugPrivilege	7044	Server.exe
Token: SeDebugPrivilege	6180	Server.exe
Token: SeDebugPrivilege	6424	Server.exe
Token: SeDebugPrivilege	6540	Server.exe
Token: SeDebugPrivilege	6784	Server.exe
Token: SeDebugPrivilege	6916	Server.exe
Token: SeDebugPrivilege	6296	Server.exe
Token: SeDebugPrivilege	1140	Server.exe
Token: SeDebugPrivilege	6440	Server.exe
Token: SeDebugPrivilege	6288	Server.exe
Token: SeDebugPrivilege	6764	Server.exe
Token: SeDebugPrivilege	2784	Server.exe
Token: SeDebugPrivilege	7040	Server.exe
Token: SeDebugPrivilege	6468	Server.exe
Token: SeDebugPrivilege	5440	Server.exe
Token: SeDebugPrivilege	848	Server.exe
Token: SeDebugPrivilege	6012	Server.exe
Token: SeDebugPrivilege	6476	Server.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

slinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exeslinkyloader.exe

description	pid	process	target process
PID 100 wrote to memory of 2268	100	slinkyloader.exe	Server.exe
PID 100 wrote to memory of 2268	100	slinkyloader.exe	Server.exe
PID 100 wrote to memory of 2268	100	slinkyloader.exe	Server.exe
PID 100 wrote to memory of 4640	100	slinkyloader.exe	slinkyloader.exe
PID 100 wrote to memory of 4640	100	slinkyloader.exe	slinkyloader.exe
PID 4640 wrote to memory of 3076	4640	slinkyloader.exe	Server.exe
PID 4640 wrote to memory of 3076	4640	slinkyloader.exe	Server.exe
PID 4640 wrote to memory of 3076	4640	slinkyloader.exe	Server.exe
PID 4640 wrote to memory of 4872	4640	slinkyloader.exe	slinkyloader.exe
PID 4640 wrote to memory of 4872	4640	slinkyloader.exe	slinkyloader.exe
PID 4872 wrote to memory of 4516	4872	slinkyloader.exe	Server.exe
PID 4872 wrote to memory of 4516	4872	slinkyloader.exe	Server.exe
PID 4872 wrote to memory of 4516	4872	slinkyloader.exe	Server.exe
PID 4872 wrote to memory of 4716	4872	slinkyloader.exe	slinkyloader.exe
PID 4872 wrote to memory of 4716	4872	slinkyloader.exe	slinkyloader.exe
PID 4716 wrote to memory of 3904	4716	slinkyloader.exe	Server.exe
PID 4716 wrote to memory of 3904	4716	slinkyloader.exe	Server.exe
PID 4716 wrote to memory of 3904	4716	slinkyloader.exe	Server.exe
PID 4716 wrote to memory of 3940	4716	slinkyloader.exe	slinkyloader.exe
PID 4716 wrote to memory of 3940	4716	slinkyloader.exe	slinkyloader.exe
PID 3940 wrote to memory of 4016	3940	slinkyloader.exe	Server.exe
PID 3940 wrote to memory of 4016	3940	slinkyloader.exe	Server.exe
PID 3940 wrote to memory of 4016	3940	slinkyloader.exe	Server.exe
PID 3940 wrote to memory of 3608	3940	slinkyloader.exe	slinkyloader.exe
PID 3940 wrote to memory of 3608	3940	slinkyloader.exe	slinkyloader.exe
PID 3608 wrote to memory of 3056	3608	slinkyloader.exe	Server.exe
PID 3608 wrote to memory of 3056	3608	slinkyloader.exe	Server.exe
PID 3608 wrote to memory of 3056	3608	slinkyloader.exe	Server.exe
PID 3608 wrote to memory of 1756	3608	slinkyloader.exe	slinkyloader.exe
PID 3608 wrote to memory of 1756	3608	slinkyloader.exe	slinkyloader.exe
PID 1756 wrote to memory of 1776	1756	slinkyloader.exe	Server.exe
PID 1756 wrote to memory of 1776	1756	slinkyloader.exe	Server.exe
PID 1756 wrote to memory of 1776	1756	slinkyloader.exe	Server.exe
PID 1756 wrote to memory of 3928	1756	slinkyloader.exe	slinkyloader.exe
PID 1756 wrote to memory of 3928	1756	slinkyloader.exe	slinkyloader.exe
PID 3928 wrote to memory of 1720	3928	slinkyloader.exe	Server.exe
PID 3928 wrote to memory of 1720	3928	slinkyloader.exe	Server.exe
PID 3928 wrote to memory of 1720	3928	slinkyloader.exe	Server.exe
PID 3928 wrote to memory of 4768	3928	slinkyloader.exe	slinkyloader.exe
PID 3928 wrote to memory of 4768	3928	slinkyloader.exe	slinkyloader.exe
PID 4768 wrote to memory of 3940	4768	slinkyloader.exe	Server.exe
PID 4768 wrote to memory of 3940	4768	slinkyloader.exe	Server.exe
PID 4768 wrote to memory of 3940	4768	slinkyloader.exe	Server.exe
PID 4768 wrote to memory of 640	4768	slinkyloader.exe	slinkyloader.exe
PID 4768 wrote to memory of 640	4768	slinkyloader.exe	slinkyloader.exe
PID 640 wrote to memory of 2452	640	slinkyloader.exe	Server.exe
PID 640 wrote to memory of 2452	640	slinkyloader.exe	Server.exe
PID 640 wrote to memory of 2452	640	slinkyloader.exe	Server.exe
PID 640 wrote to memory of 3064	640	slinkyloader.exe	slinkyloader.exe
PID 640 wrote to memory of 3064	640	slinkyloader.exe	slinkyloader.exe
PID 3064 wrote to memory of 3648	3064	slinkyloader.exe	Server.exe
PID 3064 wrote to memory of 3648	3064	slinkyloader.exe	Server.exe
PID 3064 wrote to memory of 3648	3064	slinkyloader.exe	Server.exe
PID 3064 wrote to memory of 2896	3064	slinkyloader.exe	slinkyloader.exe
PID 3064 wrote to memory of 2896	3064	slinkyloader.exe	slinkyloader.exe
PID 2896 wrote to memory of 3860	2896	slinkyloader.exe	Server.exe
PID 2896 wrote to memory of 3860	2896	slinkyloader.exe	Server.exe
PID 2896 wrote to memory of 3860	2896	slinkyloader.exe	Server.exe
PID 2896 wrote to memory of 2264	2896	slinkyloader.exe	slinkyloader.exe
PID 2896 wrote to memory of 2264	2896	slinkyloader.exe	slinkyloader.exe
PID 2264 wrote to memory of 5308	2264	slinkyloader.exe	Server.exe
PID 2264 wrote to memory of 5308	2264	slinkyloader.exe	Server.exe
PID 2264 wrote to memory of 5308	2264	slinkyloader.exe	Server.exe
PID 2264 wrote to memory of 5372	2264	slinkyloader.exe	slinkyloader.exe

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:100

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4640

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4872

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4716

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3940

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3608

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
7⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
8⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3928

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
9⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4768

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
10⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:640

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
11⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
12⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2896

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
13⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5308

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
14⤵
- Checks computer location settings
PID:5372

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5548

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
15⤵
- Checks computer location settings
PID:5620

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5724

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
16⤵
- Checks computer location settings
PID:5788

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5920

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
17⤵
- Checks computer location settings
PID:5988

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
18⤵
- Checks computer location settings
PID:5216

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5296

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
19⤵
- Checks computer location settings
PID:1412

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5716

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
20⤵
- Checks computer location settings
PID:5820

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5208

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
21⤵
- Checks computer location settings
PID:2896

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5528

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
22⤵
- Checks computer location settings
PID:5660

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5988

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
23⤵
- Checks computer location settings
PID:5628

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5904

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
24⤵
- Checks computer location settings
PID:5868

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
25⤵
- Checks computer location settings
PID:5628

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6200

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
26⤵
- Checks computer location settings
PID:6264

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6632

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
27⤵
- Checks computer location settings
PID:6700

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6828

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
28⤵
- Checks computer location settings
PID:6896

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7044

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
29⤵
- Checks computer location settings
PID:7108

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6180

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
30⤵
- Checks computer location settings
PID:6160

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6424

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
31⤵
- Checks computer location settings
PID:6440

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6540

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
32⤵
- Checks computer location settings
PID:6604

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6784

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
33⤵
- Checks computer location settings
PID:6704

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6916

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
34⤵
- Checks computer location settings
PID:4012

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6296

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
35⤵
- Checks computer location settings
PID:7120

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
36⤵
- Checks computer location settings
PID:4644

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6440

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
37⤵
- Checks computer location settings
PID:1220

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6288

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
38⤵
- Checks computer location settings
PID:7024

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6764

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
39⤵
- Checks computer location settings
PID:6728

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
40⤵
- Checks computer location settings
PID:6372

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7040

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
41⤵
- Checks computer location settings
PID:1872

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6468

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
42⤵
- Checks computer location settings
PID:1588

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5440

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
43⤵
- Checks computer location settings
PID:2792

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
44⤵
- Checks computer location settings
PID:6616

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6012

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
45⤵
- Checks computer location settings
PID:2724

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6476

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
46⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
47⤵
PID:7328

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
47⤵
PID:7376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\slinkyloader.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
95KB

MD5
5bf06998216b64bdde7e0356fff186e6

SHA1
2bfc86b0718eff41d4976212547fc651c75a5814

SHA256
b5f4a205a5c19245cfc9ea9a0e443d394b76f94af19f69144a084a5252c0da50

SHA512
1355ec92bf7eedba5b3785fb2ecc83aa91fb4beebdecca863c40f1e64925af9ee6281b78137ec891a278da808dbe4f3eca0828d6aece17f25cf061ab108e741c

Download Submit
memory/100-1-0x0000000000C40000-0x0000000001DD2000-memory.dmp

Filesize
17.6MB

Download
memory/100-0-0x00007FFB61CB0000-0x00007FFB62771000-memory.dmp

Filesize
10.8MB

Download
memory/100-3-0x000000001C930000-0x000000001C940000-memory.dmp

Filesize
64KB

Download
memory/100-16-0x00007FFB61CB0000-0x00007FFB62771000-memory.dmp

Filesize
10.8MB

Download
memory/640-85-0x00007FFB61CB0000-0x00007FFB62771000-memory.dmp

Filesize
10.8MB

Download
memory/640-81-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/640-80-0x00007FFB61CB0000-0x00007FFB62771000-memory.dmp

Filesize
10.8MB

Download
memory/1720-70-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/1756-61-0x000000001CAD0000-0x000000001CAE0000-memory.dmp

Filesize
64KB

Download
memory/1756-66-0x00007FFB61CB0000-0x00007FFB62771000-memory.dmp

Filesize
10.8MB

Download
memory/1756-59-0x00007FFB61CB0000-0x00007FFB62771000-memory.dmp

Filesize
10.8MB

Download
memory/1776-63-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/1776-79-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/1776-65-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/1776-83-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/2268-21-0x0000000004F80000-0x0000000004F92000-memory.dmp

Filesize
72KB

Download
memory/2268-17-0x00000000005B0000-0x00000000005CE000-memory.dmp

Filesize
120KB

Download
memory/2268-19-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/2268-20-0x00000000054F0000-0x0000000005B08000-memory.dmp

Filesize
6.1MB

Download
memory/2268-25-0x0000000005280000-0x000000000538A000-memory.dmp

Filesize
1.0MB

Download
memory/2268-22-0x0000000004FE0000-0x000000000501C000-memory.dmp

Filesize
240KB

Download
memory/2268-23-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/2268-24-0x0000000005020000-0x000000000506C000-memory.dmp

Filesize
304KB

Download
memory/2268-39-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/2268-41-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/2452-84-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/3056-73-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/3056-58-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/3056-56-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/3076-45-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/3076-27-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/3076-48-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/3076-30-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/3608-51-0x00007FFB61CB0000-0x00007FFB62771000-memory.dmp

Filesize
10.8MB

Download
memory/3608-53-0x0000000003300000-0x0000000003310000-memory.dmp

Filesize
64KB

Download
memory/3608-60-0x00007FFB61CB0000-0x00007FFB62771000-memory.dmp

Filesize
10.8MB

Download
memory/3904-40-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/3904-44-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/3904-57-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/3928-67-0x00007FFB61CB0000-0x00007FFB62771000-memory.dmp

Filesize
10.8MB

Download
memory/3928-71-0x00007FFB61CB0000-0x00007FFB62771000-memory.dmp

Filesize
10.8MB

Download
memory/3940-46-0x000000001C870000-0x000000001C880000-memory.dmp

Filesize
64KB

Download
memory/3940-43-0x00007FFB61CB0000-0x00007FFB62771000-memory.dmp

Filesize
10.8MB

Download
memory/3940-52-0x00007FFB61CB0000-0x00007FFB62771000-memory.dmp

Filesize
10.8MB

Download
memory/3940-77-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/3940-76-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/4016-64-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/4016-49-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/4016-68-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4516-55-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/4516-36-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/4516-33-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/4516-50-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/4640-18-0x00007FFB61CB0000-0x00007FFB62771000-memory.dmp

Filesize
10.8MB

Download
memory/4640-28-0x00007FFB61CB0000-0x00007FFB62771000-memory.dmp

Filesize
10.8MB

Download
memory/4716-42-0x00007FFB61CB0000-0x00007FFB62771000-memory.dmp

Filesize
10.8MB

Download
memory/4716-34-0x00007FFB61CB0000-0x00007FFB62771000-memory.dmp

Filesize
10.8MB

Download
memory/4716-37-0x000000001CB70000-0x000000001CB80000-memory.dmp

Filesize
64KB

Download
memory/4768-74-0x000000001C920000-0x000000001C930000-memory.dmp

Filesize
64KB

Download
memory/4768-78-0x00007FFB61CB0000-0x00007FFB62771000-memory.dmp

Filesize
10.8MB

Download
memory/4768-72-0x00007FFB61CB0000-0x00007FFB62771000-memory.dmp

Filesize
10.8MB

Download
memory/4872-35-0x00007FFB61CB0000-0x00007FFB62771000-memory.dmp

Filesize
10.8MB

Download
memory/4872-31-0x000000001C110000-0x000000001C120000-memory.dmp

Filesize
64KB

Download
memory/4872-29-0x00007FFB61CB0000-0x00007FFB62771000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads