redline | ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457

General

Target

ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
Size

22KB
MD5

64420e27dd8930254ff853f4bbcfbbf4
SHA1

8be849e123a4c9cb877ae1f147e32df89ec92b06
SHA256

ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457
SHA512

07f7fb56c033150ca2a0d2fa28a9f5a48f84b234f138675beaa9eb21cd0b95e6532ce0ed85a14b6737b0754450beb73be42d36ec9621774489a5ffe687e67b27

Score

10^/10

redline installs discovery evasion infostealer spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

installs

C2

103.246.146.160:6677

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1060-139-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1060-140-0x000000000041933E-mapping.dmp	family_redline

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\459c5dd2-ae9b-4611-b239-67e297aef0a1\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\459c5dd2-ae9b-4611-b239-67e297aef0a1\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\459c5dd2-ae9b-4611-b239-67e297aef0a1\AdvancedRun.exe	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe

pid process

4012 AdvancedRun.exe
4408 AdvancedRun.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe = "0"	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe

description	pid	process	target process
PID 4268 set thread context of 1060	4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exece15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exece15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe

pid	process
4012	AdvancedRun.exe
4012	AdvancedRun.exe
4012	AdvancedRun.exe
4012	AdvancedRun.exe
4408	AdvancedRun.exe
4408	AdvancedRun.exe
4408	AdvancedRun.exe
4408	AdvancedRun.exe
4636	powershell.exe
2920	powershell.exe
2920	powershell.exe
4636	powershell.exe
2920	powershell.exe
4636	powershell.exe
4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
1060	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
1060	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exece15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe

description	pid	process
Token: SeDebugPrivilege	4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
Token: SeDebugPrivilege	4012	AdvancedRun.exe
Token: SeImpersonatePrivilege	4012	AdvancedRun.exe
Token: SeDebugPrivilege	4408	AdvancedRun.exe
Token: SeImpersonatePrivilege	4408	AdvancedRun.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	1060	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exeAdvancedRun.exe

description	pid	process	target process
PID 4268 wrote to memory of 4012	4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe	AdvancedRun.exe
PID 4268 wrote to memory of 4012	4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe	AdvancedRun.exe
PID 4268 wrote to memory of 4012	4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe	AdvancedRun.exe
PID 4012 wrote to memory of 4408	4012	AdvancedRun.exe	AdvancedRun.exe
PID 4012 wrote to memory of 4408	4012	AdvancedRun.exe	AdvancedRun.exe
PID 4012 wrote to memory of 4408	4012	AdvancedRun.exe	AdvancedRun.exe
PID 4268 wrote to memory of 4636	4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe	powershell.exe
PID 4268 wrote to memory of 4636	4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe	powershell.exe
PID 4268 wrote to memory of 4636	4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe	powershell.exe
PID 4268 wrote to memory of 2920	4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe	powershell.exe
PID 4268 wrote to memory of 2920	4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe	powershell.exe
PID 4268 wrote to memory of 2920	4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe	powershell.exe
PID 4268 wrote to memory of 1060	4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
PID 4268 wrote to memory of 1060	4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
PID 4268 wrote to memory of 1060	4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
PID 4268 wrote to memory of 1060	4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
PID 4268 wrote to memory of 1060	4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
PID 4268 wrote to memory of 1060	4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
PID 4268 wrote to memory of 1060	4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
PID 4268 wrote to memory of 1060	4268	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe

C:\Users\Admin\AppData\Local\Temp\ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
"C:\Users\Admin\AppData\Local\Temp\ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe"
1⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4268

C:\Users\Admin\AppData\Local\Temp\459c5dd2-ae9b-4611-b239-67e297aef0a1\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\459c5dd2-ae9b-4611-b239-67e297aef0a1\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\459c5dd2-ae9b-4611-b239-67e297aef0a1\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012

C:\Users\Admin\AppData\Local\Temp\459c5dd2-ae9b-4611-b239-67e297aef0a1\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\459c5dd2-ae9b-4611-b239-67e297aef0a1\AdvancedRun.exe" /SpecialRun 4101d8 4012
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Users\Admin\AppData\Local\Temp\ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
C:\Users\Admin\AppData\Local\Temp\ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Disabling Security Tools

4

T1089

Modify Registry

5

T1112

Bypass User Account Control

1

T1088

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ce15f44e49d68e40d5968e43cee8ae82458fd08fe2173a9c74f552ac6e314457.exe.log
MD5
ba7deb3deddabc5cbefd8a768eb74391

SHA1
463b8d601dd909a14da03734325c7273dcd260d5

SHA256
a1bd0a519bf798974c4442184710a76165e6d88fcbd036efed937563390a7af1

SHA512
23bb0f8f8caf579dba3c3f0500342cbce0ad7f24e11fa01656e3329129d76770cd4e0c58bdb45b53283d6f34d34ec0b123e7c56e175ee34be8dce5963c08b8fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d74f9112239571b21fe275f5d1132367

SHA1
d18d12f19f1d7f6f2f89b412478e8bf84c43f95b

SHA256
ab85adf40efdc14abec2e156760830530c468be3f6d16cd0034ccaf1307cdd1b

SHA512
212046ccd40c98adf43c443e2b5c94f35d7a4251abd6df125a0607a77ca00d6396bcc9cfcf20ebd37bb9a9b9c96fef380e5ac1f71c987fe1a33ed42ecfc0c0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\459c5dd2-ae9b-4611-b239-67e297aef0a1\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\459c5dd2-ae9b-4611-b239-67e297aef0a1\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\459c5dd2-ae9b-4611-b239-67e297aef0a1\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/1060-154-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/1060-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1060-159-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/1060-148-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/1060-161-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/1060-145-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/1060-143-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/1060-140-0x000000000041933E-mapping.dmp

Download
memory/2920-147-0x00000000075B0000-0x00000000075B1000-memory.dmp

Filesize
4KB

Download
memory/2920-157-0x00000000070C2000-0x00000000070C3000-memory.dmp

Filesize
4KB

Download
memory/2920-131-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/2920-284-0x00000000070C3000-0x00000000070C4000-memory.dmp

Filesize
4KB

Download
memory/2920-137-0x0000000007700000-0x0000000007701000-memory.dmp

Filesize
4KB

Download
memory/2920-134-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/2920-206-0x000000007EE60000-0x000000007EE61000-memory.dmp

Filesize
4KB

Download
memory/2920-130-0x0000000000000000-mapping.dmp

Download
memory/2920-187-0x0000000009330000-0x0000000009331000-memory.dmp

Filesize
4KB

Download
memory/2920-144-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/2920-176-0x0000000009350000-0x0000000009383000-memory.dmp

Filesize
204KB

Download
memory/2920-149-0x0000000007620000-0x0000000007621000-memory.dmp

Filesize
4KB

Download
memory/2920-167-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/2920-151-0x0000000007E50000-0x0000000007E51000-memory.dmp

Filesize
4KB

Download
memory/2920-165-0x0000000008570000-0x0000000008571000-memory.dmp

Filesize
4KB

Download
memory/2920-160-0x00000000081A0000-0x00000000081A1000-memory.dmp

Filesize
4KB

Download
memory/2920-156-0x00000000070C0000-0x00000000070C1000-memory.dmp

Filesize
4KB

Download
memory/4012-124-0x0000000000000000-mapping.dmp

Download
memory/4268-115-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/4268-117-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/4268-123-0x0000000006420000-0x0000000006421000-memory.dmp

Filesize
4KB

Download
memory/4268-122-0x0000000006830000-0x0000000006831000-memory.dmp

Filesize
4KB

Download
memory/4268-120-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/4268-121-0x00000000062B0000-0x0000000006322000-memory.dmp

Filesize
456KB

Download
memory/4408-127-0x0000000000000000-mapping.dmp

Download
memory/4636-155-0x00000000073B0000-0x00000000073B1000-memory.dmp

Filesize
4KB

Download
memory/4636-129-0x0000000000000000-mapping.dmp

Download
memory/4636-132-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/4636-207-0x000000007FA90000-0x000000007FA91000-memory.dmp

Filesize
4KB

Download
memory/4636-135-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/4636-287-0x00000000073B3000-0x00000000073B4000-memory.dmp

Filesize
4KB

Download
memory/4636-169-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/4636-133-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/4636-158-0x00000000073B2000-0x00000000073B3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads