amadey | c5a3dbeea17ddba50482e7844a817171580f977dcea9ad7b655d39a934b93b93

Analysis

max time kernel
158s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 12:33 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe
Size

390KB
MD5

1b39c696c7ebdec56e5bd5e819ff51c2
SHA1

13499e2a975747bbc7dfa629b93c79143980cb5e
SHA256

1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691
SHA512

bd4e865d924da4f2cbbb97f96cc5b31c88f4698fb5d4bc109e191336171aa87f64458960279732395e1ec47c4a10683809435612d9bce181f440a653ff2e3f8c
SSDEEP

6144:KKy+bnr+vp0yN90QEITqYImmruIrRHY6y0ZJJqB5bu9CVCyXyNRK2h7nSXO/:uMrry90mTImmiazSBJlwuXO/

Score

10^/10

amadey healer redline krast dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.86

http://5.42.92.67

Attributes

install_dir
ebb444342c
install_file
legola.exe
strings_key
5680b049188ecacbfa57b1b29c2f35a7
url_paths
/norm/index.php

rc4.plain

1
a091ec0a6e22276a96a99c1d34ef679c

Extracted

Family

redline

Botnet

krast

77.91.68.68:19071

Attributes

auth_value
9059ea331e4599de3746df73ccb24514

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral4/files/0x0009000000023281-12.dat	healer
behavioral4/memory/904-15-0x0000000000FE0000-0x0000000000FEA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p9107253.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p9107253.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	p9107253.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p9107253.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p9107253.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p9107253.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000800000002327f-31.dat	family_redline
behavioral4/memory/1112-33-0x0000000000D80000-0x0000000000DB0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	r5880657.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	legola.exe

Executes dropped EXE 6 IoCs

pid	Process
1900	z3352497.exe
904	p9107253.exe
2584	r5880657.exe
2948	legola.exe
1112	t0213700.exe
4068	legola.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p9107253.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3352497.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
904	p9107253.exe
904	p9107253.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	904	p9107253.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2584	r5880657.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 1900	4284	1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe	92
PID 4284 wrote to memory of 1900	4284	1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe	92
PID 4284 wrote to memory of 1900	4284	1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe	92
PID 1900 wrote to memory of 904	1900	z3352497.exe	93
PID 1900 wrote to memory of 904	1900	z3352497.exe	93
PID 1900 wrote to memory of 2584	1900	z3352497.exe	95
PID 1900 wrote to memory of 2584	1900	z3352497.exe	95
PID 1900 wrote to memory of 2584	1900	z3352497.exe	95
PID 2584 wrote to memory of 2948	2584	r5880657.exe	96
PID 2584 wrote to memory of 2948	2584	r5880657.exe	96
PID 2584 wrote to memory of 2948	2584	r5880657.exe	96
PID 4284 wrote to memory of 1112	4284	1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe	97
PID 4284 wrote to memory of 1112	4284	1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe	97
PID 4284 wrote to memory of 1112	4284	1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe	97
PID 2948 wrote to memory of 1088	2948	legola.exe	98
PID 2948 wrote to memory of 1088	2948	legola.exe	98
PID 2948 wrote to memory of 1088	2948	legola.exe	98
PID 2948 wrote to memory of 3968	2948	legola.exe	100
PID 2948 wrote to memory of 3968	2948	legola.exe	100
PID 2948 wrote to memory of 3968	2948	legola.exe	100
PID 3968 wrote to memory of 1768	3968	cmd.exe	102
PID 3968 wrote to memory of 1768	3968	cmd.exe	102
PID 3968 wrote to memory of 1768	3968	cmd.exe	102
PID 3968 wrote to memory of 4380	3968	cmd.exe	103
PID 3968 wrote to memory of 4380	3968	cmd.exe	103
PID 3968 wrote to memory of 4380	3968	cmd.exe	103
PID 3968 wrote to memory of 2712	3968	cmd.exe	104
PID 3968 wrote to memory of 2712	3968	cmd.exe	104
PID 3968 wrote to memory of 2712	3968	cmd.exe	104
PID 3968 wrote to memory of 3020	3968	cmd.exe	105
PID 3968 wrote to memory of 3020	3968	cmd.exe	105
PID 3968 wrote to memory of 3020	3968	cmd.exe	105
PID 3968 wrote to memory of 408	3968	cmd.exe	106
PID 3968 wrote to memory of 408	3968	cmd.exe	106
PID 3968 wrote to memory of 408	3968	cmd.exe	106
PID 3968 wrote to memory of 1016	3968	cmd.exe	107
PID 3968 wrote to memory of 1016	3968	cmd.exe	107
PID 3968 wrote to memory of 1016	3968	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe
"C:\Users\Admin\AppData\Local\Temp\1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
      "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1088
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3968
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:1768
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legola.exe" /P "Admin:N"
        6⤵
        
        PID:4380
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legola.exe" /P "Admin:R" /E
        6⤵
        
        PID:2712
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3020
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\ebb444342c" /P "Admin:N"
        6⤵
        
        PID:408
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\ebb444342c" /P "Admin:R" /E
        6⤵
        
        PID:1016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0213700.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0213700.exe
  2⤵
  - Executes dropped EXE
  PID:1112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
1⤵
- Executes dropped EXE
PID:4068

Network

DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

77.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

77.190.18.2.in-addr.arpa

IN PTR

Response

77.190.18.2.in-addr.arpa

IN PTR

a2-18-190-77deploystaticakamaitechnologiescom
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

139.53.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

139.53.16.96.in-addr.arpa

IN PTR

Response

139.53.16.96.in-addr.arpa

IN PTR

a96-16-53-139deploystaticakamaitechnologiescom
DNS

23.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.236.111.52.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

10.179.89.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.179.89.13.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

chromewebstore.googleapis.com

Remote address:

8.8.8.8:53

Request

chromewebstore.googleapis.com

IN A

Response

chromewebstore.googleapis.com

IN A

142.250.200.10

chromewebstore.googleapis.com

IN A

142.250.200.42

chromewebstore.googleapis.com

IN A

216.58.201.106

chromewebstore.googleapis.com

IN A

216.58.204.74

chromewebstore.googleapis.com

IN A

172.217.169.10

chromewebstore.googleapis.com

IN A

216.58.212.202

chromewebstore.googleapis.com

IN A

172.217.169.74

chromewebstore.googleapis.com

IN A

172.217.169.42

chromewebstore.googleapis.com

IN A

142.250.179.234

chromewebstore.googleapis.com

IN A

142.250.180.10

chromewebstore.googleapis.com

IN A

142.250.187.202

chromewebstore.googleapis.com

IN A

142.250.187.234

chromewebstore.googleapis.com

IN A

142.250.178.10

chromewebstore.googleapis.com

IN A

172.217.16.234
DNS

chromewebstore.googleapis.com

Remote address:

8.8.8.8:53

Request

chromewebstore.googleapis.com

IN Unknown

Response
DNS

10.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.200.250.142.in-addr.arpa

IN PTR

Response

10.200.250.142.in-addr.arpa

IN PTR

lhr48s29-in-f101e100net

13.107.253.67:443

46 B
40 B
1
1
5.42.92.67:80

legola.exe

260 B
5
142.250.200.10:443

chromewebstore.googleapis.com

tls

1.9kB
7.8kB
14
15
77.91.68.68:19071

t0213700.exe

208 B
4
5.42.92.67:80

legola.exe

156 B
3

8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

77.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

77.190.18.2.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

139.53.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

139.53.16.96.in-addr.arpa
8.8.8.8:53

23.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.236.111.52.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

10.179.89.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

10.179.89.13.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

chromewebstore.googleapis.com

dns

75 B
299 B
1
1

DNS Request

chromewebstore.googleapis.com

DNS Response

142.250.200.10

142.250.200.42

216.58.201.106

216.58.204.74

172.217.169.10

216.58.212.202

172.217.169.74

172.217.169.42

142.250.179.234

142.250.180.10

142.250.187.202

142.250.187.234

142.250.178.10

172.217.16.234
8.8.8.8:53

chromewebstore.googleapis.com

dns

75 B
132 B
1
1

DNS Request

chromewebstore.googleapis.com
8.8.8.8:53

10.200.250.142.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

10.200.250.142.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0213700.exe

Filesize
173KB

MD5
b8c5d95c1f7a38803ce7e06a3163b115

SHA1
8f5850e40c86222637fdf8fe190880eb203bd546

SHA256
dca8ac02fa9e6017548cee8be5c5073643fb1096ed887ac87301018c8f663f61

SHA512
2d55b6393a16147be65d6f5dd8b35bbea1b06b6aafd32256a2accb59877156de41dec5d48f8d05a22abb2853f32ac79932fc43cca7d38a83e89e2f14c55b823c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe

Filesize
234KB

MD5
859530ca071eca4d755d51e586e8e887

SHA1
de62d33ce5bdbcaee3969c0b7f5923be57f65b18

SHA256
51fe2b44092632d15df632de06f77403d4ed876e788b6b513102a552a4fd7532

SHA512
acd81f2a81bdf865b7ae581034c813d41e694cd942ceca7c5ce801d427c5163803da91d0d06e6eeef5b7906af6dcd075aa869eb5901c96fb162a9031cb0621c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe

Filesize
11KB

MD5
9df47b120c7025ec8ffdc3338bf3371a

SHA1
18c9a5590d838f935ea38598118558686094db80

SHA256
cc881b7786c962ef44b2394705f24fbf1f7964505b2d3322a522a62d838ff829

SHA512
a70ea602160af906fa5958b9d01ee0ddd93bda62c8f5c1ec2632471561df5290ecd8f428f0b3c87bb2fa8a5546bd9e2e5200faa708d62a3ee36df69390227dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe

Filesize
223KB

MD5
a748d210956507aaeb3aa55c796c4493

SHA1
6536facee8829b5d0cab1bcb31c9bb528812c0eb

SHA256
970a4c051a4e15f2fb1aef52a2916e417719475bf3bf076194c3978ca526ac83

SHA512
e117d4e660e74fafee8aab8cc412969b6f27287ce9efd787a72aa40d4128853b46e5a04e5217f1d72cbd5b69ac5570d49c823134776aa9f9cb297b71061aed25

Download Submit
memory/904-14-0x00007FFFD6683000-0x00007FFFD6685000-memory.dmp

Filesize
8KB

Download
memory/904-15-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

Filesize
40KB

Download
memory/1112-33-0x0000000000D80000-0x0000000000DB0000-memory.dmp

Filesize
192KB

Download
memory/1112-34-0x0000000003170000-0x0000000003176000-memory.dmp

Filesize
24KB

Download
memory/1112-35-0x000000000B1E0000-0x000000000B7F8000-memory.dmp

Filesize
6.1MB

Download
memory/1112-36-0x000000000AD30000-0x000000000AE3A000-memory.dmp

Filesize
1.0MB

Download
memory/1112-37-0x000000000AC70000-0x000000000AC82000-memory.dmp

Filesize
72KB

Download
memory/1112-38-0x000000000ACD0000-0x000000000AD0C000-memory.dmp

Filesize
240KB

Download
memory/1112-40-0x000000000B0C0000-0x000000000B10C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.