redline | 3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36

General

Target

build.exe
Size

1.7MB
MD5

618ea7b0e2a26f3c6db0a8664c63fc6f
SHA1

f2d41df1d55178b5f7de0512912159f2663296cd
SHA256

3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36
SHA512

5bda8aef91d4ac0a4eb09427b996b8fb0792297991af8a2ddf563676ae14a724eed77e1b4dd0573c9abc094604c172b1a5a2587ae33814105afc7fc87fc872a5

Score

10^/10

redline agilenet discovery evasion infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

C2

135.181.245.89:24368

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1936-91-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1936-90-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1936-92-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1936-93-0x0000000000418EEA-mapping.dmp	family_redline
behavioral1/memory/1936-95-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

1637617173.exe1637617173.exe

pid process

1816 1637617173.exe
1936 1637617173.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Loads dropped DLL 1 IoCs

Processes:

1637617173.exe

pid process

1816 1637617173.exe

pid	process
1816	1637617173.exe
1936	1637617173.exe

pid	process
1816	1637617173.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1637617173.exe	agile_net
C:\Users\Admin\AppData\Local\Temp\1637617173.exe	agile_net
\Users\Admin\AppData\Local\Temp\1637617173.exe	agile_net
C:\Users\Admin\AppData\Local\Temp\1637617173.exe	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

build.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Registry = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Registry.exe"	build.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

1637617173.exe

description pid process target process

PID 1816 set thread context of 1936 1816 1637617173.exe 1637617173.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 4 Go-http-client/1.1

description	pid	process	target process
PID 1816 set thread context of 1936	1816	1637617173.exe	1637617173.exe

description	flow	ioc
HTTP User-Agent header	4	Go-http-client/1.1

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

1637617173.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	1637617173.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	1637617173.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	1637617173.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

1637617173.exe

pid process

1816 1637617173.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe1637617173.exe1637617173.exe

pid process

1092 powershell.exe
1888 powershell.exe
1816 1637617173.exe
1816 1637617173.exe
1936 1637617173.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

cmd.exe

pid process

1528 cmd.exe

pid	process
1816	1637617173.exe

pid	process
1092	powershell.exe
1888	powershell.exe
1816	1637617173.exe
1816	1637617173.exe
1936	1637617173.exe

pid	process
1528	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exe1637617173.exe1637617173.exe

description	pid	process
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	1816	1637617173.exe
Token: SeDebugPrivilege	1936	1637617173.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

build.execmd.execmd.execmd.execmd.execmd.exe1637617173.exe

description	pid	process	target process
PID 1988 wrote to memory of 772	1988	build.exe	cmd.exe
PID 1988 wrote to memory of 772	1988	build.exe	cmd.exe
PID 1988 wrote to memory of 772	1988	build.exe	cmd.exe
PID 772 wrote to memory of 1092	772	cmd.exe	powershell.exe
PID 772 wrote to memory of 1092	772	cmd.exe	powershell.exe
PID 772 wrote to memory of 1092	772	cmd.exe	powershell.exe
PID 1988 wrote to memory of 1528	1988	build.exe	cmd.exe
PID 1988 wrote to memory of 1528	1988	build.exe	cmd.exe
PID 1988 wrote to memory of 1528	1988	build.exe	cmd.exe
PID 1988 wrote to memory of 1768	1988	build.exe	cmd.exe
PID 1988 wrote to memory of 1768	1988	build.exe	cmd.exe
PID 1988 wrote to memory of 1768	1988	build.exe	cmd.exe
PID 1768 wrote to memory of 1748	1768	cmd.exe	reg.exe
PID 1768 wrote to memory of 1748	1768	cmd.exe	reg.exe
PID 1768 wrote to memory of 1748	1768	cmd.exe	reg.exe
PID 1988 wrote to memory of 1384	1988	build.exe	cmd.exe
PID 1988 wrote to memory of 1384	1988	build.exe	cmd.exe
PID 1988 wrote to memory of 1384	1988	build.exe	cmd.exe
PID 1988 wrote to memory of 1512	1988	build.exe	cmd.exe
PID 1988 wrote to memory of 1512	1988	build.exe	cmd.exe
PID 1988 wrote to memory of 1512	1988	build.exe	cmd.exe
PID 1384 wrote to memory of 2000	1384	cmd.exe	attrib.exe
PID 1384 wrote to memory of 2000	1384	cmd.exe	attrib.exe
PID 1384 wrote to memory of 2000	1384	cmd.exe	attrib.exe
PID 1512 wrote to memory of 1888	1512	cmd.exe	powershell.exe
PID 1512 wrote to memory of 1888	1512	cmd.exe	powershell.exe
PID 1512 wrote to memory of 1888	1512	cmd.exe	powershell.exe
PID 1988 wrote to memory of 836	1988	build.exe	cmd.exe
PID 1988 wrote to memory of 836	1988	build.exe	cmd.exe
PID 1988 wrote to memory of 836	1988	build.exe	cmd.exe
PID 836 wrote to memory of 1816	836	cmd.exe	1637617173.exe
PID 836 wrote to memory of 1816	836	cmd.exe	1637617173.exe
PID 836 wrote to memory of 1816	836	cmd.exe	1637617173.exe
PID 836 wrote to memory of 1816	836	cmd.exe	1637617173.exe
PID 836 wrote to memory of 1816	836	cmd.exe	1637617173.exe
PID 836 wrote to memory of 1816	836	cmd.exe	1637617173.exe
PID 836 wrote to memory of 1816	836	cmd.exe	1637617173.exe
PID 1816 wrote to memory of 1936	1816	1637617173.exe	1637617173.exe
PID 1816 wrote to memory of 1936	1816	1637617173.exe	1637617173.exe
PID 1816 wrote to memory of 1936	1816	1637617173.exe	1637617173.exe
PID 1816 wrote to memory of 1936	1816	1637617173.exe	1637617173.exe
PID 1816 wrote to memory of 1936	1816	1637617173.exe	1637617173.exe
PID 1816 wrote to memory of 1936	1816	1637617173.exe	1637617173.exe
PID 1816 wrote to memory of 1936	1816	1637617173.exe	1637617173.exe
PID 1816 wrote to memory of 1936	1816	1637617173.exe	1637617173.exe
PID 1816 wrote to memory of 1936	1816	1637617173.exe	1637617173.exe
PID 1816 wrote to memory of 1936	1816	1637617173.exe	1637617173.exe
PID 1816 wrote to memory of 1936	1816	1637617173.exe	1637617173.exe
PID 1816 wrote to memory of 1936	1816	1637617173.exe	1637617173.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2000 attrib.exe

pid	process
2000	attrib.exe

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\system32\cmd.exe
cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp"
2⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\system32\cmd.exe
cmd /Q /C move /Y C:\Users\Admin\AppData\Local\Temp\build.exe C:\Users\Admin\AppData\Roaming\Microsoft\Registry.exe
2⤵
- Suspicious behavior: RenamesItself
PID:1528

C:\Windows\system32\cmd.exe
cmd /Q /C reg add "HKCU\Software\Networking5 Servic1e" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Networking5 Servic1e" /f
3⤵
PID:1748

C:\Windows\system32\cmd.exe
cmd /C "attrib +S +H C:\Users\Admin\AppData\Roaming\Microsoft\Registry.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\system32\attrib.exe
attrib +S +H C:\Users\Admin\AppData\Roaming\Microsoft\Registry.exe
3⤵
- Views/modifies file attributes
PID:2000

C:\Windows\system32\cmd.exe
cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft"
2⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\system32\cmd.exe
cmd /C C:\Users\Admin\AppData\Local\Temp\1637617173.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\1637617173.exe
C:\Users\Admin\AppData\Local\Temp\1637617173.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\1637617173.exe
C:\Users\Admin\AppData\Local\Temp\1637617173.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1637617173.exe
MD5
093cdb435c4003e1a7d4269e332730a1

SHA1
c8cff0231c22d5285a73f03b7624b4c60d79b820

SHA256
bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613

SHA512
9df903c6e990c2f253f82aa9f618f9cfbdead034d34a4cbfdf1fb08f36ceaeb65041faa1fbf17fee972d15a577269aec400cc9ce948041cb7bc77cc04d39ffb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1637617173.exe
MD5
093cdb435c4003e1a7d4269e332730a1

SHA1
c8cff0231c22d5285a73f03b7624b4c60d79b820

SHA256
bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613

SHA512
9df903c6e990c2f253f82aa9f618f9cfbdead034d34a4cbfdf1fb08f36ceaeb65041faa1fbf17fee972d15a577269aec400cc9ce948041cb7bc77cc04d39ffb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1637617173.exe
MD5
093cdb435c4003e1a7d4269e332730a1

SHA1
c8cff0231c22d5285a73f03b7624b4c60d79b820

SHA256
bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613

SHA512
9df903c6e990c2f253f82aa9f618f9cfbdead034d34a4cbfdf1fb08f36ceaeb65041faa1fbf17fee972d15a577269aec400cc9ce948041cb7bc77cc04d39ffb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
91fa97a4387c9b59349ba88df870680c

SHA1
190ddf6c08f85626e91a02b72a6a5b4058d0728c

SHA256
949480e72bf428f9425b695ab03dce171ccd34a87046c270013291e31d27ff94

SHA512
7c3585e6cea33601b4aa484666a0ddfd0df967b2480901c76c736329307fb69b2216217260514b14cc43f1811d4ba2a485def294c7e23d4f26a8ac3c0ecef503

Download Submit
\Users\Admin\AppData\Local\Temp\1637617173.exe
MD5
093cdb435c4003e1a7d4269e332730a1

SHA1
c8cff0231c22d5285a73f03b7624b4c60d79b820

SHA256
bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613

SHA512
9df903c6e990c2f253f82aa9f618f9cfbdead034d34a4cbfdf1fb08f36ceaeb65041faa1fbf17fee972d15a577269aec400cc9ce948041cb7bc77cc04d39ffb8

Download Submit
memory/772-55-0x0000000000000000-mapping.dmp

Download
memory/836-78-0x0000000000000000-mapping.dmp

Download
memory/1092-67-0x0000000002970000-0x0000000002972000-memory.dmp

Filesize
8KB

Download
memory/1092-76-0x000000000297B000-0x000000000299A000-memory.dmp

Filesize
124KB

Download
memory/1092-56-0x0000000000000000-mapping.dmp

Download
memory/1092-58-0x000007FEFC4C1000-0x000007FEFC4C3000-memory.dmp

Filesize
8KB

Download
memory/1092-68-0x0000000002972000-0x0000000002974000-memory.dmp

Filesize
8KB

Download
memory/1092-69-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/1092-63-0x000000001B840000-0x000000001BB3F000-memory.dmp

Filesize
3.0MB

Download
memory/1092-59-0x000007FEF3120000-0x000007FEF3C7D000-memory.dmp

Filesize
11.4MB

Download
memory/1384-62-0x0000000000000000-mapping.dmp

Download
memory/1512-64-0x0000000000000000-mapping.dmp

Download
memory/1528-57-0x0000000000000000-mapping.dmp

Download
memory/1748-61-0x0000000000000000-mapping.dmp

Download
memory/1768-60-0x0000000000000000-mapping.dmp

Download
memory/1816-80-0x0000000000000000-mapping.dmp

Download
memory/1816-82-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/1816-86-0x0000000001F00000-0x0000000001F18000-memory.dmp

Filesize
96KB

Download
memory/1816-85-0x0000000004AE0000-0x0000000004B31000-memory.dmp

Filesize
324KB

Download
memory/1816-84-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/1888-72-0x000007FEF3120000-0x000007FEF3C7D000-memory.dmp

Filesize
11.4MB

Download
memory/1888-77-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/1888-73-0x0000000002720000-0x0000000002722000-memory.dmp

Filesize
8KB

Download
memory/1888-74-0x0000000002722000-0x0000000002724000-memory.dmp

Filesize
8KB

Download
memory/1888-75-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1888-66-0x0000000000000000-mapping.dmp

Download
memory/1936-91-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1936-88-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1936-90-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1936-89-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1936-92-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1936-93-0x0000000000418EEA-mapping.dmp

Download
memory/1936-95-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1936-97-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/2000-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads