redline | 2105710d19c34b91be3a37c24ab4a4835dcdc606c0f2d8b487beb0d24e336124

General

Target

0b757d38d347d1f763f59ab7f0423ae8.exe
Size

406KB
MD5

0b757d38d347d1f763f59ab7f0423ae8
SHA1

fcf1b343ab5c7f9ac72fc6c85b3c478c5875f577
SHA256

2105710d19c34b91be3a37c24ab4a4835dcdc606c0f2d8b487beb0d24e336124
SHA512

0b9661590897256242ddc4ea43d069999e1ddca9d7fed671a6aa31a60f0da4bd820b8bb6c2502fa1b7979dea932375e2363e882e31379935751af1cdf2ce7d94

Score

10^/10

redline x infostealer

Malware Config

Extracted

Family

redline

Botnet

X

C2

194.127.179.35:35180

Attributes

auth_value
76e43cff05002e5f6e3334fa7946e404

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1984-62-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1984-63-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1984-65-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1984-66-0x000000000041ADAE-mapping.dmp	family_redline
behavioral1/memory/580-112-0x000000000041ADAE-mapping.dmp	family_redline
behavioral1/memory/1496-133-0x000000000041ADAE-mapping.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

WinRar Activator.exechromedrivers32.exechromedrivers32.exe

pid process

1020 WinRar Activator.exe
1408 chromedrivers32.exe
1620 chromedrivers32.exe
Loads dropped DLL 3 IoCs

Processes:

taskeng.exe

pid process

664 taskeng.exe
664 taskeng.exe
664 taskeng.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1020	WinRar Activator.exe
1408	chromedrivers32.exe
1620	chromedrivers32.exe

pid	process
664	taskeng.exe
664	taskeng.exe
664	taskeng.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

0b757d38d347d1f763f59ab7f0423ae8.exechromedrivers32.exechromedrivers32.exe

description	pid	process	target process
PID 1488 set thread context of 1984	1488	0b757d38d347d1f763f59ab7f0423ae8.exe	vbc.exe
PID 1408 set thread context of 580	1408	chromedrivers32.exe	vbc.exe
PID 1620 set thread context of 1496	1620	chromedrivers32.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1764 1984 WerFault.exe vbc.exe
2008 580 WerFault.exe vbc.exe
1716 1496 WerFault.exe vbc.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1896 schtasks.exe
1656 schtasks.exe
1740 schtasks.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

0b757d38d347d1f763f59ab7f0423ae8.exe

pid process

1488 0b757d38d347d1f763f59ab7f0423ae8.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WinRar Activator.exe

description pid process

Token: SeDebugPrivilege 1020 WinRar Activator.exe

pid	pid_target	process	target process
1764	1984	WerFault.exe	vbc.exe
2008	580	WerFault.exe	vbc.exe
1716	1496	WerFault.exe	vbc.exe

pid	process
1896	schtasks.exe
1656	schtasks.exe
1740	schtasks.exe

pid	process
1488	0b757d38d347d1f763f59ab7f0423ae8.exe

description	pid	process
Token: SeDebugPrivilege	1020	WinRar Activator.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0b757d38d347d1f763f59ab7f0423ae8.execmd.exevbc.exetaskeng.exechromedrivers32.execmd.exevbc.exechromedrivers32.execmd.exe

description	pid	process	target process
PID 1488 wrote to memory of 1912	1488	0b757d38d347d1f763f59ab7f0423ae8.exe	cmd.exe
PID 1488 wrote to memory of 1912	1488	0b757d38d347d1f763f59ab7f0423ae8.exe	cmd.exe
PID 1488 wrote to memory of 1912	1488	0b757d38d347d1f763f59ab7f0423ae8.exe	cmd.exe
PID 1912 wrote to memory of 1896	1912	cmd.exe	schtasks.exe
PID 1912 wrote to memory of 1896	1912	cmd.exe	schtasks.exe
PID 1912 wrote to memory of 1896	1912	cmd.exe	schtasks.exe
PID 1488 wrote to memory of 936	1488	0b757d38d347d1f763f59ab7f0423ae8.exe	cmd.exe
PID 1488 wrote to memory of 936	1488	0b757d38d347d1f763f59ab7f0423ae8.exe	cmd.exe
PID 1488 wrote to memory of 936	1488	0b757d38d347d1f763f59ab7f0423ae8.exe	cmd.exe
PID 1488 wrote to memory of 1984	1488	0b757d38d347d1f763f59ab7f0423ae8.exe	vbc.exe
PID 1488 wrote to memory of 1984	1488	0b757d38d347d1f763f59ab7f0423ae8.exe	vbc.exe
PID 1488 wrote to memory of 1984	1488	0b757d38d347d1f763f59ab7f0423ae8.exe	vbc.exe
PID 1488 wrote to memory of 1984	1488	0b757d38d347d1f763f59ab7f0423ae8.exe	vbc.exe
PID 1488 wrote to memory of 1984	1488	0b757d38d347d1f763f59ab7f0423ae8.exe	vbc.exe
PID 1488 wrote to memory of 1984	1488	0b757d38d347d1f763f59ab7f0423ae8.exe	vbc.exe
PID 1488 wrote to memory of 1984	1488	0b757d38d347d1f763f59ab7f0423ae8.exe	vbc.exe
PID 1488 wrote to memory of 1984	1488	0b757d38d347d1f763f59ab7f0423ae8.exe	vbc.exe
PID 1488 wrote to memory of 1020	1488	0b757d38d347d1f763f59ab7f0423ae8.exe	WinRar Activator.exe
PID 1488 wrote to memory of 1020	1488	0b757d38d347d1f763f59ab7f0423ae8.exe	WinRar Activator.exe
PID 1488 wrote to memory of 1020	1488	0b757d38d347d1f763f59ab7f0423ae8.exe	WinRar Activator.exe
PID 1984 wrote to memory of 1764	1984	vbc.exe	WerFault.exe
PID 1984 wrote to memory of 1764	1984	vbc.exe	WerFault.exe
PID 1984 wrote to memory of 1764	1984	vbc.exe	WerFault.exe
PID 1984 wrote to memory of 1764	1984	vbc.exe	WerFault.exe
PID 664 wrote to memory of 1408	664	taskeng.exe	chromedrivers32.exe
PID 664 wrote to memory of 1408	664	taskeng.exe	chromedrivers32.exe
PID 664 wrote to memory of 1408	664	taskeng.exe	chromedrivers32.exe
PID 1408 wrote to memory of 1196	1408	chromedrivers32.exe	cmd.exe
PID 1408 wrote to memory of 1196	1408	chromedrivers32.exe	cmd.exe
PID 1408 wrote to memory of 1196	1408	chromedrivers32.exe	cmd.exe
PID 1196 wrote to memory of 1656	1196	cmd.exe	schtasks.exe
PID 1196 wrote to memory of 1656	1196	cmd.exe	schtasks.exe
PID 1196 wrote to memory of 1656	1196	cmd.exe	schtasks.exe
PID 1408 wrote to memory of 1664	1408	chromedrivers32.exe	cmd.exe
PID 1408 wrote to memory of 1664	1408	chromedrivers32.exe	cmd.exe
PID 1408 wrote to memory of 1664	1408	chromedrivers32.exe	cmd.exe
PID 1408 wrote to memory of 580	1408	chromedrivers32.exe	vbc.exe
PID 1408 wrote to memory of 580	1408	chromedrivers32.exe	vbc.exe
PID 1408 wrote to memory of 580	1408	chromedrivers32.exe	vbc.exe
PID 1408 wrote to memory of 580	1408	chromedrivers32.exe	vbc.exe
PID 1408 wrote to memory of 580	1408	chromedrivers32.exe	vbc.exe
PID 1408 wrote to memory of 580	1408	chromedrivers32.exe	vbc.exe
PID 1408 wrote to memory of 580	1408	chromedrivers32.exe	vbc.exe
PID 1408 wrote to memory of 580	1408	chromedrivers32.exe	vbc.exe
PID 580 wrote to memory of 2008	580	vbc.exe	WerFault.exe
PID 580 wrote to memory of 2008	580	vbc.exe	WerFault.exe
PID 580 wrote to memory of 2008	580	vbc.exe	WerFault.exe
PID 580 wrote to memory of 2008	580	vbc.exe	WerFault.exe
PID 664 wrote to memory of 1620	664	taskeng.exe	chromedrivers32.exe
PID 664 wrote to memory of 1620	664	taskeng.exe	chromedrivers32.exe
PID 664 wrote to memory of 1620	664	taskeng.exe	chromedrivers32.exe
PID 1620 wrote to memory of 1504	1620	chromedrivers32.exe	cmd.exe
PID 1620 wrote to memory of 1504	1620	chromedrivers32.exe	cmd.exe
PID 1620 wrote to memory of 1504	1620	chromedrivers32.exe	cmd.exe
PID 1504 wrote to memory of 1740	1504	cmd.exe	schtasks.exe
PID 1504 wrote to memory of 1740	1504	cmd.exe	schtasks.exe
PID 1504 wrote to memory of 1740	1504	cmd.exe	schtasks.exe
PID 1620 wrote to memory of 1724	1620	chromedrivers32.exe	cmd.exe
PID 1620 wrote to memory of 1724	1620	chromedrivers32.exe	cmd.exe
PID 1620 wrote to memory of 1724	1620	chromedrivers32.exe	cmd.exe
PID 1620 wrote to memory of 1496	1620	chromedrivers32.exe	vbc.exe
PID 1620 wrote to memory of 1496	1620	chromedrivers32.exe	vbc.exe
PID 1620 wrote to memory of 1496	1620	chromedrivers32.exe	vbc.exe
PID 1620 wrote to memory of 1496	1620	chromedrivers32.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\0b757d38d347d1f763f59ab7f0423ae8.exe
"C:\Users\Admin\AppData\Local\Temp\0b757d38d347d1f763f59ab7f0423ae8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\system32\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\chromedrivers32.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\chromedrivers32.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\0b757d38d347d1f763f59ab7f0423ae8.exe" "C:\Users\Admin\AppData\Roaming\chromedrivers32.exe"
2⤵
PID:936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 144
3⤵
- Program crash
PID:1764

C:\Users\Admin\AppData\Local\Temp\WinRar Activator.exe
"C:\Users\Admin\AppData\Local\Temp\WinRar Activator.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\taskeng.exe
taskeng.exe {AC4415E4-99F8-41E5-A3A9-71033E4B7775} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:664

C:\Users\Admin\AppData\Roaming\chromedrivers32.exe
C:\Users\Admin\AppData\Roaming\chromedrivers32.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\system32\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\chromedrivers32.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\chromedrivers32.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\chromedrivers32.exe" "C:\Users\Admin\AppData\Roaming\chromedrivers32.exe"
3⤵
PID:1664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 144
4⤵
- Program crash
PID:2008

C:\Users\Admin\AppData\Roaming\chromedrivers32.exe
C:\Users\Admin\AppData\Roaming\chromedrivers32.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\system32\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\chromedrivers32.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\chromedrivers32.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\chromedrivers32.exe" "C:\Users\Admin\AppData\Roaming\chromedrivers32.exe"
3⤵
PID:1724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 144
4⤵
- Program crash
PID:1716

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WinRar Activator.exe
Filesize
259KB

MD5
f385414230d858b00cbe7ffe3daa5928

SHA1
04f24e4f0bab06e7d58fc39b328baf382dae9cff

SHA256
b9ef9b0ae62b70c0ee11f8ff8bc87e2a7b91c2ebbd46af1a29bc5b4119145335

SHA512
1f9ad4545b37f2953f1e0f9c9409cc960d7cf30d926c80fb58e92924566d20b3ecf7a971a93f998da105c5e8b36ff5a6b9de46d29a7accd0f96ed9d1c0efb8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinRar Activator.exe
Filesize
259KB

MD5
f385414230d858b00cbe7ffe3daa5928

SHA1
04f24e4f0bab06e7d58fc39b328baf382dae9cff

SHA256
b9ef9b0ae62b70c0ee11f8ff8bc87e2a7b91c2ebbd46af1a29bc5b4119145335

SHA512
1f9ad4545b37f2953f1e0f9c9409cc960d7cf30d926c80fb58e92924566d20b3ecf7a971a93f998da105c5e8b36ff5a6b9de46d29a7accd0f96ed9d1c0efb8c2

Download Submit
C:\Users\Admin\AppData\Roaming\chromedrivers32.exe
Filesize
406KB

MD5
0b757d38d347d1f763f59ab7f0423ae8

SHA1
fcf1b343ab5c7f9ac72fc6c85b3c478c5875f577

SHA256
2105710d19c34b91be3a37c24ab4a4835dcdc606c0f2d8b487beb0d24e336124

SHA512
0b9661590897256242ddc4ea43d069999e1ddca9d7fed671a6aa31a60f0da4bd820b8bb6c2502fa1b7979dea932375e2363e882e31379935751af1cdf2ce7d94

Download Submit
C:\Users\Admin\AppData\Roaming\chromedrivers32.exe
Filesize
406KB

MD5
0b757d38d347d1f763f59ab7f0423ae8

SHA1
fcf1b343ab5c7f9ac72fc6c85b3c478c5875f577

SHA256
2105710d19c34b91be3a37c24ab4a4835dcdc606c0f2d8b487beb0d24e336124

SHA512
0b9661590897256242ddc4ea43d069999e1ddca9d7fed671a6aa31a60f0da4bd820b8bb6c2502fa1b7979dea932375e2363e882e31379935751af1cdf2ce7d94

Download Submit
C:\Users\Admin\AppData\Roaming\chromedrivers32.exe
Filesize
406KB

MD5
0b757d38d347d1f763f59ab7f0423ae8

SHA1
fcf1b343ab5c7f9ac72fc6c85b3c478c5875f577

SHA256
2105710d19c34b91be3a37c24ab4a4835dcdc606c0f2d8b487beb0d24e336124

SHA512
0b9661590897256242ddc4ea43d069999e1ddca9d7fed671a6aa31a60f0da4bd820b8bb6c2502fa1b7979dea932375e2363e882e31379935751af1cdf2ce7d94

Download Submit
\Users\Admin\AppData\Roaming\chromedrivers32.exe
Filesize
406KB

MD5
0b757d38d347d1f763f59ab7f0423ae8

SHA1
fcf1b343ab5c7f9ac72fc6c85b3c478c5875f577

SHA256
2105710d19c34b91be3a37c24ab4a4835dcdc606c0f2d8b487beb0d24e336124

SHA512
0b9661590897256242ddc4ea43d069999e1ddca9d7fed671a6aa31a60f0da4bd820b8bb6c2502fa1b7979dea932375e2363e882e31379935751af1cdf2ce7d94

Download Submit
\Users\Admin\AppData\Roaming\chromedrivers32.exe
Filesize
406KB

MD5
0b757d38d347d1f763f59ab7f0423ae8

SHA1
fcf1b343ab5c7f9ac72fc6c85b3c478c5875f577

SHA256
2105710d19c34b91be3a37c24ab4a4835dcdc606c0f2d8b487beb0d24e336124

SHA512
0b9661590897256242ddc4ea43d069999e1ddca9d7fed671a6aa31a60f0da4bd820b8bb6c2502fa1b7979dea932375e2363e882e31379935751af1cdf2ce7d94

Download Submit
\Users\Admin\AppData\Roaming\chromedrivers32.exe
Filesize
406KB

MD5
0b757d38d347d1f763f59ab7f0423ae8

SHA1
fcf1b343ab5c7f9ac72fc6c85b3c478c5875f577

SHA256
2105710d19c34b91be3a37c24ab4a4835dcdc606c0f2d8b487beb0d24e336124

SHA512
0b9661590897256242ddc4ea43d069999e1ddca9d7fed671a6aa31a60f0da4bd820b8bb6c2502fa1b7979dea932375e2363e882e31379935751af1cdf2ce7d94

Download Submit
memory/580-112-0x000000000041ADAE-mapping.dmp

Download
memory/936-57-0x0000000000000000-mapping.dmp

Download
memory/1020-67-0x0000000000000000-mapping.dmp

Download
memory/1020-85-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/1020-82-0x000007FEF2230000-0x000007FEF2ABC000-memory.dmp

Filesize
8.5MB

Download
memory/1020-91-0x000007FEF4340000-0x000007FEF58C8000-memory.dmp

Filesize
21.5MB

Download
memory/1020-81-0x000007FEF2AC0000-0x000007FEF2CA8000-memory.dmp

Filesize
1.9MB

Download
memory/1020-89-0x000007FEEE3F0000-0x000007FEEF33D000-memory.dmp

Filesize
15.3MB

Download
memory/1020-88-0x000007FEF3700000-0x000007FEF433F000-memory.dmp

Filesize
12.2MB

Download
memory/1020-72-0x00000000002C0000-0x0000000000306000-memory.dmp

Filesize
280KB

Download
memory/1020-86-0x000000001A947000-0x000000001A966000-memory.dmp

Filesize
124KB

Download
memory/1020-90-0x000007FEF2AC0000-0x000007FEF2CA8000-memory.dmp

Filesize
1.9MB

Download
memory/1020-84-0x000007FEF63A0000-0x000007FEF64CA000-memory.dmp

Filesize
1.2MB

Download
memory/1020-76-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp

Filesize
8KB

Download
memory/1020-83-0x000007FEF4340000-0x000007FEF58C8000-memory.dmp

Filesize
21.5MB

Download
memory/1020-78-0x000007FEF3700000-0x000007FEF433F000-memory.dmp

Filesize
12.2MB

Download
memory/1020-79-0x000007FEF2CB0000-0x000007FEF3700000-memory.dmp

Filesize
10.3MB

Download
memory/1020-80-0x000007FEEE3F0000-0x000007FEEF33D000-memory.dmp

Filesize
15.3MB

Download
memory/1196-98-0x0000000000000000-mapping.dmp

Download
memory/1408-110-0x000007FEEE3F0000-0x000007FEEF33D000-memory.dmp

Filesize
15.3MB

Download
memory/1408-95-0x0000000000000000-mapping.dmp

Download
memory/1408-107-0x000007FEF3700000-0x000007FEF433F000-memory.dmp

Filesize
12.2MB

Download
memory/1408-108-0x000007FEF2CB0000-0x000007FEF3700000-memory.dmp

Filesize
10.3MB

Download
memory/1408-97-0x0000000000860000-0x00000000008C8000-memory.dmp

Filesize
416KB

Download
memory/1408-109-0x000007FEF2AC0000-0x000007FEF2CA8000-memory.dmp

Filesize
1.9MB

Download
memory/1408-102-0x000007FEF4340000-0x000007FEF58C8000-memory.dmp

Filesize
21.5MB

Download
memory/1408-114-0x000007FEF4340000-0x000007FEF58C8000-memory.dmp

Filesize
21.5MB

Download
memory/1488-77-0x000007FEEE3F0000-0x000007FEEF33D000-memory.dmp

Filesize
15.3MB

Download
memory/1488-71-0x000007FEF2CB0000-0x000007FEF3700000-memory.dmp

Filesize
10.3MB

Download
memory/1488-64-0x000007FEF3700000-0x000007FEF433F000-memory.dmp

Filesize
12.2MB

Download
memory/1488-58-0x000007FEF4340000-0x000007FEF58C8000-memory.dmp

Filesize
21.5MB

Download
memory/1488-54-0x0000000000190000-0x00000000001F8000-memory.dmp

Filesize
416KB

Download
memory/1488-87-0x000007FEEE3F0000-0x000007FEEF33D000-memory.dmp

Filesize
15.3MB

Download
memory/1488-73-0x000007FEF4340000-0x000007FEF58C8000-memory.dmp

Filesize
21.5MB

Download
memory/1488-74-0x000007FEF2AC0000-0x000007FEF2CA8000-memory.dmp

Filesize
1.9MB

Download
memory/1488-75-0x000007FEF3700000-0x000007FEF433F000-memory.dmp

Filesize
12.2MB

Download
memory/1496-133-0x000000000041ADAE-mapping.dmp

Download
memory/1504-119-0x0000000000000000-mapping.dmp

Download
memory/1620-130-0x000007FEF2AC0000-0x000007FEF2CA8000-memory.dmp

Filesize
1.9MB

Download
memory/1620-134-0x000007FEF4340000-0x000007FEF58C8000-memory.dmp

Filesize
21.5MB

Download
memory/1620-129-0x000007FEF2CB0000-0x000007FEF3700000-memory.dmp

Filesize
10.3MB

Download
memory/1620-131-0x000007FEEE3F0000-0x000007FEEF33D000-memory.dmp

Filesize
15.3MB

Download
memory/1620-127-0x000007FEF4340000-0x000007FEF58C8000-memory.dmp

Filesize
21.5MB

Download
memory/1620-116-0x0000000000000000-mapping.dmp

Download
memory/1620-118-0x0000000000870000-0x00000000008D8000-memory.dmp

Filesize
416KB

Download
memory/1620-128-0x000007FEF3700000-0x000007FEF433F000-memory.dmp

Filesize
12.2MB

Download
memory/1656-99-0x0000000000000000-mapping.dmp

Download
memory/1664-100-0x0000000000000000-mapping.dmp

Download
memory/1716-135-0x0000000000000000-mapping.dmp

Download
memory/1724-121-0x0000000000000000-mapping.dmp

Download
memory/1740-120-0x0000000000000000-mapping.dmp

Download
memory/1764-70-0x0000000000000000-mapping.dmp

Download
memory/1896-56-0x0000000000000000-mapping.dmp

Download
memory/1912-55-0x0000000000000000-mapping.dmp

Download
memory/1984-66-0x000000000041ADAE-mapping.dmp

Download
memory/1984-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1984-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1984-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1984-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1984-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2008-113-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads