redline | 4e1f98336450ec17fd17e976a942d49ba3ef40b1c8fae5ab4af923b9dfcf6ad3

General

Target

4e1f98336450ec17fd17e976a942d49ba3ef40b1c8fae5ab4af923b9dfcf6ad3.exe
Size

686KB
MD5

435f3c10535cc1b2ee46a66c07ab92d8
SHA1

75a763f5e6dc32ba6595ad661426f11340b35347
SHA256

4e1f98336450ec17fd17e976a942d49ba3ef40b1c8fae5ab4af923b9dfcf6ad3
SHA512

8f57b18657a3ba29827f72ce179106e4b84d934d0c9f988bce7045885287a2616f1f7c257961ae44062c80c57cc135f06e277a1d2df58818c3aa0d29e1cd3413
SSDEEP

12288:9Mrxy90l5lKjrLCgddadqOGH6yjCB+R50FJMhLCslUMJuXixJN5vDea/:0yY5lMldIzGBjC450bgLCQhuXENh/

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pro0074.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro0074.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro0074.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro0074.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro0074.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro0074.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro0074.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3132-194-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3132-195-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3132-197-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3132-199-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3132-201-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3132-203-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3132-205-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3132-207-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3132-209-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3132-211-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3132-213-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3132-215-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3132-217-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3132-219-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3132-221-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3132-223-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3132-225-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3132-227-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3132-1110-0x0000000007340000-0x0000000007350000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

un681488.exepro0074.exequ4120.exesi316666.exe

pid process

2600 un681488.exe
1164 pro0074.exe
3132 qu4120.exe
1908 si316666.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2600	un681488.exe
1164	pro0074.exe
3132	qu4120.exe
1908	si316666.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pro0074.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro0074.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro0074.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4e1f98336450ec17fd17e976a942d49ba3ef40b1c8fae5ab4af923b9dfcf6ad3.exeun681488.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4e1f98336450ec17fd17e976a942d49ba3ef40b1c8fae5ab4af923b9dfcf6ad3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4e1f98336450ec17fd17e976a942d49ba3ef40b1c8fae5ab4af923b9dfcf6ad3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un681488.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un681488.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4184 1164 WerFault.exe pro0074.exe
3460 3132 WerFault.exe qu4120.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pro0074.exequ4120.exesi316666.exe

pid process

1164 pro0074.exe
1164 pro0074.exe
3132 qu4120.exe
3132 qu4120.exe
1908 si316666.exe
1908 si316666.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pro0074.exequ4120.exesi316666.exe

description pid process

Token: SeDebugPrivilege 1164 pro0074.exe
Token: SeDebugPrivilege 3132 qu4120.exe
Token: SeDebugPrivilege 1908 si316666.exe

pid	pid_target	process	target process
4184	1164	WerFault.exe	pro0074.exe
3460	3132	WerFault.exe	qu4120.exe

pid	process
1164	pro0074.exe
1164	pro0074.exe
3132	qu4120.exe
3132	qu4120.exe
1908	si316666.exe
1908	si316666.exe

description	pid	process
Token: SeDebugPrivilege	1164	pro0074.exe
Token: SeDebugPrivilege	3132	qu4120.exe
Token: SeDebugPrivilege	1908	si316666.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4e1f98336450ec17fd17e976a942d49ba3ef40b1c8fae5ab4af923b9dfcf6ad3.exeun681488.exe

description	pid	process	target process
PID 1696 wrote to memory of 2600	1696	4e1f98336450ec17fd17e976a942d49ba3ef40b1c8fae5ab4af923b9dfcf6ad3.exe	un681488.exe
PID 1696 wrote to memory of 2600	1696	4e1f98336450ec17fd17e976a942d49ba3ef40b1c8fae5ab4af923b9dfcf6ad3.exe	un681488.exe
PID 1696 wrote to memory of 2600	1696	4e1f98336450ec17fd17e976a942d49ba3ef40b1c8fae5ab4af923b9dfcf6ad3.exe	un681488.exe
PID 2600 wrote to memory of 1164	2600	un681488.exe	pro0074.exe
PID 2600 wrote to memory of 1164	2600	un681488.exe	pro0074.exe
PID 2600 wrote to memory of 1164	2600	un681488.exe	pro0074.exe
PID 2600 wrote to memory of 3132	2600	un681488.exe	qu4120.exe
PID 2600 wrote to memory of 3132	2600	un681488.exe	qu4120.exe
PID 2600 wrote to memory of 3132	2600	un681488.exe	qu4120.exe
PID 1696 wrote to memory of 1908	1696	4e1f98336450ec17fd17e976a942d49ba3ef40b1c8fae5ab4af923b9dfcf6ad3.exe	si316666.exe
PID 1696 wrote to memory of 1908	1696	4e1f98336450ec17fd17e976a942d49ba3ef40b1c8fae5ab4af923b9dfcf6ad3.exe	si316666.exe
PID 1696 wrote to memory of 1908	1696	4e1f98336450ec17fd17e976a942d49ba3ef40b1c8fae5ab4af923b9dfcf6ad3.exe	si316666.exe

C:\Users\Admin\AppData\Local\Temp\4e1f98336450ec17fd17e976a942d49ba3ef40b1c8fae5ab4af923b9dfcf6ad3.exe
"C:\Users\Admin\AppData\Local\Temp\4e1f98336450ec17fd17e976a942d49ba3ef40b1c8fae5ab4af923b9dfcf6ad3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un681488.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un681488.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0074.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0074.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 1084
4⤵
- Program crash
PID:4184

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4120.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4120.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1352
4⤵
- Program crash
PID:3460

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si316666.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si316666.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1164 -ip 1164
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3132 -ip 3132
1⤵
PID:4200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si316666.exe
Filesize
175KB

MD5
1644d28e20651e1f7ab7a4bb00639aea

SHA1
111862198fa381e041d9d05dca61eedcde0d4ddf

SHA256
4681dcf67c4b92b8e9531e399fd694573abc78a7c7025c347c8f17bd8879a78c

SHA512
108a7ced1ad52e78eec7caa37aae6e0d1919580a2d35d7d1643c12b9287295102e92f8d0399b85d621879b700164c5c8260bba90dc2369f8e5a59d3b06959b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si316666.exe
Filesize
175KB

MD5
1644d28e20651e1f7ab7a4bb00639aea

SHA1
111862198fa381e041d9d05dca61eedcde0d4ddf

SHA256
4681dcf67c4b92b8e9531e399fd694573abc78a7c7025c347c8f17bd8879a78c

SHA512
108a7ced1ad52e78eec7caa37aae6e0d1919580a2d35d7d1643c12b9287295102e92f8d0399b85d621879b700164c5c8260bba90dc2369f8e5a59d3b06959b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un681488.exe
Filesize
545KB

MD5
995e3892622a0687f25b68fc18a0525e

SHA1
20a50f64a208040a5882c38e76d2f18d7ca51aca

SHA256
3302eaeb0e4eb5d5b58c05a34278a55f39d34d8d6a3c95da0eec0effed5a54f0

SHA512
ea340a6f212af999d89786224743b203850ffa010f3a6c37e5ea057c06177c15e492048f3fd6eea15bf39021ec38ae3cadb33e80b6c59d06526285132e1a5ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un681488.exe
Filesize
545KB

MD5
995e3892622a0687f25b68fc18a0525e

SHA1
20a50f64a208040a5882c38e76d2f18d7ca51aca

SHA256
3302eaeb0e4eb5d5b58c05a34278a55f39d34d8d6a3c95da0eec0effed5a54f0

SHA512
ea340a6f212af999d89786224743b203850ffa010f3a6c37e5ea057c06177c15e492048f3fd6eea15bf39021ec38ae3cadb33e80b6c59d06526285132e1a5ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0074.exe
Filesize
321KB

MD5
362d4e3870ffa567bc134f772c956456

SHA1
43cac50640d6b6084c56eb426f719c3c1b1f7e1b

SHA256
036a33278f978cdb12a9ea8dceac8ad2091791647aa848b119bd1933d3cc7976

SHA512
4ead9f0c6641200d705be2f1e33a5f4323637e3c808201cee4ff0b5b38a949960416801d67ead8ddad5839cf55b93100a3b0588c5d701c19689104fe22ae1fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0074.exe
Filesize
321KB

MD5
362d4e3870ffa567bc134f772c956456

SHA1
43cac50640d6b6084c56eb426f719c3c1b1f7e1b

SHA256
036a33278f978cdb12a9ea8dceac8ad2091791647aa848b119bd1933d3cc7976

SHA512
4ead9f0c6641200d705be2f1e33a5f4323637e3c808201cee4ff0b5b38a949960416801d67ead8ddad5839cf55b93100a3b0588c5d701c19689104fe22ae1fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4120.exe
Filesize
380KB

MD5
fe7c1bcfc91cfe902bef1d84229ccdf3

SHA1
223433d0070c1a855e8a74fdeb89e811684249d8

SHA256
bd8b3143b4396b03d94023d66c5ab4911c80c455160077aa89f4d8de3dfc0b34

SHA512
ece50268870c5d0990b9f7c5a2c6c58b5981c8cd5bab1b30aaa7d9d56eee6f49c403b95eaabc281c1ef7361b9ccb833b99901f9cb762612a7d7a2b2da715851f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4120.exe
Filesize
380KB

MD5
fe7c1bcfc91cfe902bef1d84229ccdf3

SHA1
223433d0070c1a855e8a74fdeb89e811684249d8

SHA256
bd8b3143b4396b03d94023d66c5ab4911c80c455160077aa89f4d8de3dfc0b34

SHA512
ece50268870c5d0990b9f7c5a2c6c58b5981c8cd5bab1b30aaa7d9d56eee6f49c403b95eaabc281c1ef7361b9ccb833b99901f9cb762612a7d7a2b2da715851f

Download Submit
memory/1164-158-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1164-168-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1164-150-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/1164-151-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/1164-152-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/1164-153-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1164-154-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1164-156-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1164-148-0x0000000007380000-0x0000000007924000-memory.dmp

Filesize
5.6MB

Download
memory/1164-160-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1164-162-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1164-164-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1164-166-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1164-149-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/1164-170-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1164-172-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1164-174-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1164-176-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1164-178-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1164-180-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1164-181-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1164-183-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/1164-184-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/1164-185-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/1164-186-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1908-1121-0x0000000000800000-0x0000000000832000-memory.dmp

Filesize
200KB

Download
memory/1908-1122-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/3132-191-0x0000000002C60000-0x0000000002CAB000-memory.dmp

Filesize
300KB

Download
memory/3132-223-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3132-194-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3132-195-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3132-197-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3132-199-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3132-201-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3132-203-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3132-205-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3132-207-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3132-209-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3132-211-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3132-213-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3132-215-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3132-217-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3132-219-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3132-221-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3132-193-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/3132-225-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3132-227-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3132-229-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/3132-1101-0x0000000007900000-0x0000000007F18000-memory.dmp

Filesize
6.1MB

Download
memory/3132-1102-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/3132-1103-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/3132-1104-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/3132-1105-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/3132-1107-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/3132-1108-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/3132-1109-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/3132-1110-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/3132-1111-0x0000000008CC0000-0x0000000008E82000-memory.dmp

Filesize
1.8MB

Download
memory/3132-1112-0x0000000008EA0000-0x00000000093CC000-memory.dmp

Filesize
5.2MB

Download
memory/3132-192-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/3132-1113-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/3132-1114-0x000000000A880000-0x000000000A8F6000-memory.dmp

Filesize
472KB

Download
memory/3132-1115-0x000000000A900000-0x000000000A950000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads