redline | f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124

General

Target

f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124.exe
Size

539KB
MD5

092f2e02c114e3343185de3ca6c94b9b
SHA1

f20ba641f5d76c20f3144549ef1efedaf297e782
SHA256

f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124
SHA512

e9a9fd40de5f787f483201ef0ded0af87824fdeaef4bd728e8d7f9328aed0efdcc32f344d857019e1027fd708b43054f4627cc02f9c91145728101fb42464173
SSDEEP

12288:wMrIy90stdgHPj4Mtzk7+h29GYYxOI4+6CLLU4zl0SgqJjI:oyNq4M9k7+h+GYInJHU9dAjI

Score

10^/10

redline bolt down discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

bolt

C2

193.233.20.31:4125

Attributes

auth_value
29540c7bf0277243e2faf6601e15a754

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

h14Tr50.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	h14Tr50.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	h14Tr50.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	h14Tr50.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	h14Tr50.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	h14Tr50.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4880-139-0x0000000004BB0000-0x0000000004BF6000-memory.dmp	family_redline
behavioral1/memory/4880-145-0x0000000007120000-0x0000000007164000-memory.dmp	family_redline
behavioral1/memory/4880-146-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-147-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-149-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-151-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-153-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-155-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-157-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-159-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-161-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-163-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-165-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-167-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-169-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-171-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-173-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-175-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-179-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-181-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-177-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-183-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-185-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-187-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-189-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-191-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-193-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-195-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-197-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-199-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-201-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-203-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-205-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-207-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline
behavioral1/memory/4880-209-0x0000000007120000-0x000000000715E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

niba2740.exeh14Tr50.exeixHBm37.exel11QN22.exe

pid process

3644 niba2740.exe
4348 h14Tr50.exe
4880 ixHBm37.exe
4848 l11QN22.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

h14Tr50.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" h14Tr50.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3644	niba2740.exe
4348	h14Tr50.exe
4880	ixHBm37.exe
4848	l11QN22.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	h14Tr50.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124.exeniba2740.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	niba2740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	niba2740.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

h14Tr50.exeixHBm37.exel11QN22.exe

pid process

4348 h14Tr50.exe
4348 h14Tr50.exe
4880 ixHBm37.exe
4880 ixHBm37.exe
4848 l11QN22.exe
4848 l11QN22.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

h14Tr50.exeixHBm37.exel11QN22.exe

description pid process

Token: SeDebugPrivilege 4348 h14Tr50.exe
Token: SeDebugPrivilege 4880 ixHBm37.exe
Token: SeDebugPrivilege 4848 l11QN22.exe

pid	process
4348	h14Tr50.exe
4348	h14Tr50.exe
4880	ixHBm37.exe
4880	ixHBm37.exe
4848	l11QN22.exe
4848	l11QN22.exe

description	pid	process
Token: SeDebugPrivilege	4348	h14Tr50.exe
Token: SeDebugPrivilege	4880	ixHBm37.exe
Token: SeDebugPrivilege	4848	l11QN22.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124.exeniba2740.exe

description	pid	process	target process
PID 3640 wrote to memory of 3644	3640	f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124.exe	niba2740.exe
PID 3640 wrote to memory of 3644	3640	f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124.exe	niba2740.exe
PID 3640 wrote to memory of 3644	3640	f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124.exe	niba2740.exe
PID 3644 wrote to memory of 4348	3644	niba2740.exe	h14Tr50.exe
PID 3644 wrote to memory of 4348	3644	niba2740.exe	h14Tr50.exe
PID 3644 wrote to memory of 4880	3644	niba2740.exe	ixHBm37.exe
PID 3644 wrote to memory of 4880	3644	niba2740.exe	ixHBm37.exe
PID 3644 wrote to memory of 4880	3644	niba2740.exe	ixHBm37.exe
PID 3640 wrote to memory of 4848	3640	f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124.exe	l11QN22.exe
PID 3640 wrote to memory of 4848	3640	f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124.exe	l11QN22.exe
PID 3640 wrote to memory of 4848	3640	f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124.exe	l11QN22.exe

C:\Users\Admin\AppData\Local\Temp\f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124.exe
"C:\Users\Admin\AppData\Local\Temp\f921bf5f937e2ecbb872a001b944dc082294c3d004c149e8e4363f4539695124.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3640

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2740.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2740.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3644

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h14Tr50.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h14Tr50.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ixHBm37.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ixHBm37.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l11QN22.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l11QN22.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l11QN22.exe
Filesize
175KB

MD5
78efaf7292c2027da40635ca1aae855a

SHA1
686227a48e23b382a06c74f17d9b6f36e76042fd

SHA256
2f1381bbe319ee3d19b3e07704205a3d31a7ffb7b5b7c282b9d884682bc892ab

SHA512
19e22ec7ad2295a1a3f4cbabb2e005df674ff3731cc33b74e175e10fcc4e482c8f0ce9c8722a8d14a0f9f9ad6e37360ce6816215512bea8324cd87a9fefc852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l11QN22.exe
Filesize
175KB

MD5
78efaf7292c2027da40635ca1aae855a

SHA1
686227a48e23b382a06c74f17d9b6f36e76042fd

SHA256
2f1381bbe319ee3d19b3e07704205a3d31a7ffb7b5b7c282b9d884682bc892ab

SHA512
19e22ec7ad2295a1a3f4cbabb2e005df674ff3731cc33b74e175e10fcc4e482c8f0ce9c8722a8d14a0f9f9ad6e37360ce6816215512bea8324cd87a9fefc852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2740.exe
Filesize
397KB

MD5
4d2a905a143206c91e6e3f06f851727a

SHA1
ccd782512b550fa3dce9968817dfa13177f4d479

SHA256
abebb88703fd0eadcdcce5e9a19d6564ef16d9dfc1d7dd80da0f9520451aba30

SHA512
933c94b5a5e3922ba21bb278df36527d0b9e0dbe7c457315b4d564d0baef307b0286f28f6859b192f1bd676b97f182cea99a4d68366d781d59de3c3c23d44e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2740.exe
Filesize
397KB

MD5
4d2a905a143206c91e6e3f06f851727a

SHA1
ccd782512b550fa3dce9968817dfa13177f4d479

SHA256
abebb88703fd0eadcdcce5e9a19d6564ef16d9dfc1d7dd80da0f9520451aba30

SHA512
933c94b5a5e3922ba21bb278df36527d0b9e0dbe7c457315b4d564d0baef307b0286f28f6859b192f1bd676b97f182cea99a4d68366d781d59de3c3c23d44e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h14Tr50.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h14Tr50.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ixHBm37.exe
Filesize
355KB

MD5
5106c90c14027fbb8e7065d57f65d8cd

SHA1
f1ed7ace126748aef10470c7239c5c49e6bfb141

SHA256
6f20343a9b9026219f997e6091541d325a9ef57b59c9ace9653cc6fc8b3692e2

SHA512
a3f4668ae85044c1d48233736a15dd9c595fc53f67dbe7d86ecd9e0cfd127f0808c652e0bbf6b744821334da9870ce8c7aca3128735208d9b25cc27a95672fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ixHBm37.exe
Filesize
355KB

MD5
5106c90c14027fbb8e7065d57f65d8cd

SHA1
f1ed7ace126748aef10470c7239c5c49e6bfb141

SHA256
6f20343a9b9026219f997e6091541d325a9ef57b59c9ace9653cc6fc8b3692e2

SHA512
a3f4668ae85044c1d48233736a15dd9c595fc53f67dbe7d86ecd9e0cfd127f0808c652e0bbf6b744821334da9870ce8c7aca3128735208d9b25cc27a95672fdd

Download Submit
memory/4348-133-0x0000000000780000-0x000000000078A000-memory.dmp

Filesize
40KB

Download
memory/4848-1072-0x00000000004A0000-0x00000000004D2000-memory.dmp

Filesize
200KB

Download
memory/4848-1073-0x0000000004EE0000-0x0000000004F2B000-memory.dmp

Filesize
300KB

Download
memory/4848-1074-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/4880-173-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-187-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-143-0x00000000071B0000-0x00000000076AE000-memory.dmp

Filesize
5.0MB

Download
memory/4880-144-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/4880-142-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/4880-145-0x0000000007120000-0x0000000007164000-memory.dmp

Filesize
272KB

Download
memory/4880-146-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-147-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-149-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-151-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-153-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-155-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-157-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-159-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-161-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-163-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-165-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-167-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-169-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-171-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-140-0x0000000002B90000-0x0000000002BDB000-memory.dmp

Filesize
300KB

Download
memory/4880-175-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-179-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-181-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-177-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-183-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-185-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-141-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/4880-189-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-191-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-193-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-195-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-197-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-199-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-201-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-203-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-205-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-207-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-209-0x0000000007120000-0x000000000715E000-memory.dmp

Filesize
248KB

Download
memory/4880-1052-0x0000000007CC0000-0x00000000082C6000-memory.dmp

Filesize
6.0MB

Download
memory/4880-1053-0x0000000007720000-0x000000000782A000-memory.dmp

Filesize
1.0MB

Download
memory/4880-1054-0x0000000007860000-0x0000000007872000-memory.dmp

Filesize
72KB

Download
memory/4880-1055-0x0000000007880000-0x00000000078BE000-memory.dmp

Filesize
248KB

Download
memory/4880-1056-0x00000000079D0000-0x0000000007A1B000-memory.dmp

Filesize
300KB

Download
memory/4880-1057-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/4880-1059-0x0000000007B60000-0x0000000007BF2000-memory.dmp

Filesize
584KB

Download
memory/4880-1060-0x0000000007C00000-0x0000000007C66000-memory.dmp

Filesize
408KB

Download
memory/4880-1061-0x00000000088E0000-0x0000000008956000-memory.dmp

Filesize
472KB

Download
memory/4880-1062-0x0000000008970000-0x00000000089C0000-memory.dmp

Filesize
320KB

Download
memory/4880-139-0x0000000004BB0000-0x0000000004BF6000-memory.dmp

Filesize
280KB

Download
memory/4880-1063-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/4880-1064-0x0000000008B50000-0x0000000008D12000-memory.dmp

Filesize
1.8MB

Download
memory/4880-1065-0x0000000008D20000-0x000000000924C000-memory.dmp

Filesize
5.2MB

Download
memory/4880-1066-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads