redline | 9d08f15196cc86b8bbf32d25a77809fae9f14edb05159ea5df793a859b594414

General

Target

0dd2d9905a53f3db8251a2a52e562cc5.exe
Size

553KB
MD5

0dd2d9905a53f3db8251a2a52e562cc5
SHA1

530120b2f97754dc5967effb0845cf551171bcd5
SHA256

9d08f15196cc86b8bbf32d25a77809fae9f14edb05159ea5df793a859b594414
SHA512

b3ba7ea0ed1842f473eea2eb2fcc5c515f965e51d974da64d8166beb1239f5300edf3ab6659886dcf8b4ce6eebc8292f2c11a4f4092fd0bd26b4d34b9b22c46b
SSDEEP

12288:VMrFy90Qq6JAa4JR8k5iuZyKynC/mWaoR6cSi8bsv:0ytqWH6I9nC/YoRrSRbsv

Score

10^/10

redline boris rotik discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

C2

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

rotik

C2

193.233.20.32:4125

Attributes

auth_value
74863478ae154e921eb729354d2bb4bd

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

h71XG20.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	h71XG20.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	h71XG20.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	h71XG20.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	h71XG20.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	h71XG20.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	h71XG20.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1992-158-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-159-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-161-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-163-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-165-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-167-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-169-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-171-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-173-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-175-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-177-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-179-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-181-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-183-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-185-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-187-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-189-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-191-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-193-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-195-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-197-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-199-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-201-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-203-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-205-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-207-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-209-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-211-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-213-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-215-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-217-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-219-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral2/memory/1992-221-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

niba7603.exeh71XG20.exeizJyg41.exel80fj09.exe

pid process

1112 niba7603.exe
4404 h71XG20.exe
1992 izJyg41.exe
1468 l80fj09.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

h71XG20.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" h71XG20.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1112	niba7603.exe
4404	h71XG20.exe
1992	izJyg41.exe
1468	l80fj09.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	h71XG20.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0dd2d9905a53f3db8251a2a52e562cc5.exeniba7603.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0dd2d9905a53f3db8251a2a52e562cc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0dd2d9905a53f3db8251a2a52e562cc5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	niba7603.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	niba7603.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

224 1992 WerFault.exe izJyg41.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

h71XG20.exeizJyg41.exel80fj09.exe

pid process

4404 h71XG20.exe
4404 h71XG20.exe
1992 izJyg41.exe
1992 izJyg41.exe
1468 l80fj09.exe
1468 l80fj09.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

h71XG20.exeizJyg41.exel80fj09.exe

description pid process

Token: SeDebugPrivilege 4404 h71XG20.exe
Token: SeDebugPrivilege 1992 izJyg41.exe
Token: SeDebugPrivilege 1468 l80fj09.exe

pid	pid_target	process	target process
224	1992	WerFault.exe	izJyg41.exe

pid	process
4404	h71XG20.exe
4404	h71XG20.exe
1992	izJyg41.exe
1992	izJyg41.exe
1468	l80fj09.exe
1468	l80fj09.exe

description	pid	process
Token: SeDebugPrivilege	4404	h71XG20.exe
Token: SeDebugPrivilege	1992	izJyg41.exe
Token: SeDebugPrivilege	1468	l80fj09.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

0dd2d9905a53f3db8251a2a52e562cc5.exeniba7603.exe

description	pid	process	target process
PID 1436 wrote to memory of 1112	1436	0dd2d9905a53f3db8251a2a52e562cc5.exe	niba7603.exe
PID 1436 wrote to memory of 1112	1436	0dd2d9905a53f3db8251a2a52e562cc5.exe	niba7603.exe
PID 1436 wrote to memory of 1112	1436	0dd2d9905a53f3db8251a2a52e562cc5.exe	niba7603.exe
PID 1112 wrote to memory of 4404	1112	niba7603.exe	h71XG20.exe
PID 1112 wrote to memory of 4404	1112	niba7603.exe	h71XG20.exe
PID 1112 wrote to memory of 1992	1112	niba7603.exe	izJyg41.exe
PID 1112 wrote to memory of 1992	1112	niba7603.exe	izJyg41.exe
PID 1112 wrote to memory of 1992	1112	niba7603.exe	izJyg41.exe
PID 1436 wrote to memory of 1468	1436	0dd2d9905a53f3db8251a2a52e562cc5.exe	l80fj09.exe
PID 1436 wrote to memory of 1468	1436	0dd2d9905a53f3db8251a2a52e562cc5.exe	l80fj09.exe
PID 1436 wrote to memory of 1468	1436	0dd2d9905a53f3db8251a2a52e562cc5.exe	l80fj09.exe

C:\Users\Admin\AppData\Local\Temp\0dd2d9905a53f3db8251a2a52e562cc5.exe
"C:\Users\Admin\AppData\Local\Temp\0dd2d9905a53f3db8251a2a52e562cc5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba7603.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba7603.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h71XG20.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h71XG20.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\izJyg41.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\izJyg41.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 1292
4⤵
- Program crash
PID:224

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l80fj09.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l80fj09.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1992 -ip 1992
1⤵
PID:4192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l80fj09.exe
Filesize
175KB

MD5
efc3b1703bec9a0e79d4a9fdcedf4a20

SHA1
d019bfe5fbf05fde5cae0029f9580dca9677a3b2

SHA256
1d9b391ee239469206cf31022b982e66c2ab463d3106a38526103e1c1b8be855

SHA512
f36bbf81fe3bb68c8c8a1fc19dd7c79b386cfdb13b1e5d5e617c4a5ef8a38ed4c4c717f466c9293e2e1067d0f94c9d1ebc1814919e5c572dc66365fdd6009b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l80fj09.exe
Filesize
175KB

MD5
efc3b1703bec9a0e79d4a9fdcedf4a20

SHA1
d019bfe5fbf05fde5cae0029f9580dca9677a3b2

SHA256
1d9b391ee239469206cf31022b982e66c2ab463d3106a38526103e1c1b8be855

SHA512
f36bbf81fe3bb68c8c8a1fc19dd7c79b386cfdb13b1e5d5e617c4a5ef8a38ed4c4c717f466c9293e2e1067d0f94c9d1ebc1814919e5c572dc66365fdd6009b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba7603.exe
Filesize
411KB

MD5
6640068912e6e973c0ecf0dedf85910b

SHA1
985cc675565254eb2d6fdf71ccb14c96511cbbc6

SHA256
f37fcb2ada8cd3c0eebe20e2e9c0a6b9368da093f137de2c757c548077e0a837

SHA512
80ebdbf637152a47e55e7d27f91ad37d534d698cbe0d8f87c5c49acc82719e5a29ecb3ac36ce13b7a1f005671528ebda2a93f330645dd6156f951a58fc71e8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba7603.exe
Filesize
411KB

MD5
6640068912e6e973c0ecf0dedf85910b

SHA1
985cc675565254eb2d6fdf71ccb14c96511cbbc6

SHA256
f37fcb2ada8cd3c0eebe20e2e9c0a6b9368da093f137de2c757c548077e0a837

SHA512
80ebdbf637152a47e55e7d27f91ad37d534d698cbe0d8f87c5c49acc82719e5a29ecb3ac36ce13b7a1f005671528ebda2a93f330645dd6156f951a58fc71e8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h71XG20.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h71XG20.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\izJyg41.exe
Filesize
385KB

MD5
f81449cac86e759983979b5c27c0dd89

SHA1
3e7e7996a008ba3c079172fb93bfa15eaf792424

SHA256
5142ebcf26ae8ec7d6ab37958d5a1da0260f8b01f5195264f0e7e38940393bf1

SHA512
90283d9f52c8b5f886af9afdd73daaf1862c61d51bba43daf43f6f62f29e334cb1428fad276b4bea558446fcaf85e8dc9d2e01a81985a73fadf7bd85f5b8bfe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\izJyg41.exe
Filesize
385KB

MD5
f81449cac86e759983979b5c27c0dd89

SHA1
3e7e7996a008ba3c079172fb93bfa15eaf792424

SHA256
5142ebcf26ae8ec7d6ab37958d5a1da0260f8b01f5195264f0e7e38940393bf1

SHA512
90283d9f52c8b5f886af9afdd73daaf1862c61d51bba43daf43f6f62f29e334cb1428fad276b4bea558446fcaf85e8dc9d2e01a81985a73fadf7bd85f5b8bfe9

Download Submit
memory/1468-1085-0x0000000000610000-0x0000000000642000-memory.dmp

Filesize
200KB

Download
memory/1468-1086-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1468-1087-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1992-191-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-203-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-155-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download
memory/1992-157-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download
memory/1992-158-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-159-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-161-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-163-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-165-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-167-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-169-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-171-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-173-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-175-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-177-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-179-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-181-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-183-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-185-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-187-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-189-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-154-0x0000000002CF0000-0x0000000002D3B000-memory.dmp

Filesize
300KB

Download
memory/1992-193-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-195-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-197-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-199-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-201-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-156-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download
memory/1992-205-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-207-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-209-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-211-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-213-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-215-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-217-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-219-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-221-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/1992-1064-0x00000000078D0000-0x0000000007EE8000-memory.dmp

Filesize
6.1MB

Download
memory/1992-1065-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/1992-1066-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/1992-1067-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download
memory/1992-1068-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/1992-1070-0x00000000083C0000-0x0000000008426000-memory.dmp

Filesize
408KB

Download
memory/1992-1071-0x0000000008A90000-0x0000000008B22000-memory.dmp

Filesize
584KB

Download
memory/1992-1072-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download
memory/1992-1073-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download
memory/1992-1074-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download
memory/1992-1075-0x000000000A080000-0x000000000A0F6000-memory.dmp

Filesize
472KB

Download
memory/1992-153-0x00000000071D0000-0x0000000007774000-memory.dmp

Filesize
5.6MB

Download
memory/1992-1076-0x000000000A110000-0x000000000A160000-memory.dmp

Filesize
320KB

Download
memory/1992-1077-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download
memory/1992-1078-0x000000000A170000-0x000000000A332000-memory.dmp

Filesize
1.8MB

Download
memory/1992-1079-0x000000000A340000-0x000000000A86C000-memory.dmp

Filesize
5.2MB

Download
memory/4404-147-0x0000000000A60000-0x0000000000A6A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads