redline | afa054f8a18a2c7a5257a9021d1740b1f313d8c2d3ceed7609785404c7292e31

General

Target

afa054f8a18a2c7a5257a9021d1740b1f313d8c2d3ceed7609785404c7292e31.exe
Size

751KB
MD5

b20568570756b481e04ad52e38456d5d
SHA1

3386f753ebff2f948abe4f3372913832b8ab843b
SHA256

afa054f8a18a2c7a5257a9021d1740b1f313d8c2d3ceed7609785404c7292e31
SHA512

be3888f005cd369a1cedb1d9036d066bd7b818e017e3a8e6f943e9bba912f281fe980e938a8bccc6321ae22bb6275ca8e8a60dff0666f32f0071ecad3771625f
SSDEEP

12288:h9+hlaQ6fT0YC+EwRi8Zc5yNlcDxc6hwYcUNLwEgbUt28ivEZgoxhvzzFM:uraQGIAEQi8ZcalwxZ+4gbUt28oEZ1vu

Score

10^/10

redline muse rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

muse

C2

176.113.115.145:4125

Attributes

auth_value
b91988a63a24940038d9262827a5320c

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

jr730788.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr730788.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr730788.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr730788.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr730788.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr730788.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2104-144-0x0000000004B80000-0x0000000004BC6000-memory.dmp	family_redline
behavioral1/memory/2104-150-0x0000000004C10000-0x0000000004C54000-memory.dmp	family_redline
behavioral1/memory/2104-151-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-152-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-154-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-156-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-158-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-160-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-162-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-164-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-166-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-168-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-170-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-172-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-174-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-176-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-178-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-180-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-182-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-184-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-186-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-188-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-190-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-192-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-194-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-196-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-198-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-200-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-202-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-204-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-206-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-208-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-210-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/2104-212-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

ziHc7759.exejr730788.exeku364252.exelr921454.exe

pid process

3924 ziHc7759.exe
4964 jr730788.exe
2104 ku364252.exe
3096 lr921454.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

jr730788.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr730788.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3924	ziHc7759.exe
4964	jr730788.exe
2104	ku364252.exe
3096	lr921454.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr730788.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ziHc7759.exeafa054f8a18a2c7a5257a9021d1740b1f313d8c2d3ceed7609785404c7292e31.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziHc7759.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziHc7759.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	afa054f8a18a2c7a5257a9021d1740b1f313d8c2d3ceed7609785404c7292e31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	afa054f8a18a2c7a5257a9021d1740b1f313d8c2d3ceed7609785404c7292e31.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

jr730788.exeku364252.exelr921454.exe

pid process

4964 jr730788.exe
4964 jr730788.exe
2104 ku364252.exe
2104 ku364252.exe
3096 lr921454.exe
3096 lr921454.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

jr730788.exeku364252.exelr921454.exe

description pid process

Token: SeDebugPrivilege 4964 jr730788.exe
Token: SeDebugPrivilege 2104 ku364252.exe
Token: SeDebugPrivilege 3096 lr921454.exe

pid	process
4964	jr730788.exe
4964	jr730788.exe
2104	ku364252.exe
2104	ku364252.exe
3096	lr921454.exe
3096	lr921454.exe

description	pid	process
Token: SeDebugPrivilege	4964	jr730788.exe
Token: SeDebugPrivilege	2104	ku364252.exe
Token: SeDebugPrivilege	3096	lr921454.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

afa054f8a18a2c7a5257a9021d1740b1f313d8c2d3ceed7609785404c7292e31.exeziHc7759.exe

description	pid	process	target process
PID 3260 wrote to memory of 3924	3260	afa054f8a18a2c7a5257a9021d1740b1f313d8c2d3ceed7609785404c7292e31.exe	ziHc7759.exe
PID 3260 wrote to memory of 3924	3260	afa054f8a18a2c7a5257a9021d1740b1f313d8c2d3ceed7609785404c7292e31.exe	ziHc7759.exe
PID 3260 wrote to memory of 3924	3260	afa054f8a18a2c7a5257a9021d1740b1f313d8c2d3ceed7609785404c7292e31.exe	ziHc7759.exe
PID 3924 wrote to memory of 4964	3924	ziHc7759.exe	jr730788.exe
PID 3924 wrote to memory of 4964	3924	ziHc7759.exe	jr730788.exe
PID 3924 wrote to memory of 2104	3924	ziHc7759.exe	ku364252.exe
PID 3924 wrote to memory of 2104	3924	ziHc7759.exe	ku364252.exe
PID 3924 wrote to memory of 2104	3924	ziHc7759.exe	ku364252.exe
PID 3260 wrote to memory of 3096	3260	afa054f8a18a2c7a5257a9021d1740b1f313d8c2d3ceed7609785404c7292e31.exe	lr921454.exe
PID 3260 wrote to memory of 3096	3260	afa054f8a18a2c7a5257a9021d1740b1f313d8c2d3ceed7609785404c7292e31.exe	lr921454.exe
PID 3260 wrote to memory of 3096	3260	afa054f8a18a2c7a5257a9021d1740b1f313d8c2d3ceed7609785404c7292e31.exe	lr921454.exe

C:\Users\Admin\AppData\Local\Temp\afa054f8a18a2c7a5257a9021d1740b1f313d8c2d3ceed7609785404c7292e31.exe
"C:\Users\Admin\AppData\Local\Temp\afa054f8a18a2c7a5257a9021d1740b1f313d8c2d3ceed7609785404c7292e31.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3260

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHc7759.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHc7759.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3924

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr730788.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr730788.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku364252.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku364252.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr921454.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr921454.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr921454.exe
Filesize
175KB

MD5
591efc87ce3974863f97b3fb96d353c9

SHA1
d71e0c0d137c7e7395b470c8110b389927d06537

SHA256
e3223af8ae969b1135c01c0fe5860c2484054c755e91c04b1d6da4438e4ae5a5

SHA512
eeee0be70e2eb30e8345e72ed0d352bcc218ebb709904056ada22e9595f74b6a154c9cc5fe6044e7ac46da7d18ea13b31ae036fa5fa962607fd972d7492b3b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr921454.exe
Filesize
175KB

MD5
591efc87ce3974863f97b3fb96d353c9

SHA1
d71e0c0d137c7e7395b470c8110b389927d06537

SHA256
e3223af8ae969b1135c01c0fe5860c2484054c755e91c04b1d6da4438e4ae5a5

SHA512
eeee0be70e2eb30e8345e72ed0d352bcc218ebb709904056ada22e9595f74b6a154c9cc5fe6044e7ac46da7d18ea13b31ae036fa5fa962607fd972d7492b3b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHc7759.exe
Filesize
420KB

MD5
6ca16a861ab5e7dac5b02e979ce6f81f

SHA1
92088493e05ed321cc9e800a72e33080aa85595f

SHA256
cb363a673adb11c0bab2fc6df4b0beadfef43093c67d15573ba2baa4bc833d95

SHA512
c4a5249b6044c51edcb9e87505defbe4fce7cca336a146a66e30c2c3f05a15108c4b808669666efebbd652b5e3366d7f86f490ef45ddbcc0a1fa162e7e237155

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHc7759.exe
Filesize
420KB

MD5
6ca16a861ab5e7dac5b02e979ce6f81f

SHA1
92088493e05ed321cc9e800a72e33080aa85595f

SHA256
cb363a673adb11c0bab2fc6df4b0beadfef43093c67d15573ba2baa4bc833d95

SHA512
c4a5249b6044c51edcb9e87505defbe4fce7cca336a146a66e30c2c3f05a15108c4b808669666efebbd652b5e3366d7f86f490ef45ddbcc0a1fa162e7e237155

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr730788.exe
Filesize
11KB

MD5
a5569b37458871722ce0ff1f5e954903

SHA1
a5675df2a5c6056b17247679d2521f0a3304a46c

SHA256
e0cbcc50748123d3a79365c770f4823dcc7586c0429ff0f3b06714c8cff3b20f

SHA512
ab62d7b8b392a9cd88399f826ba6f4e6b6e591f902e13d718bc5a989f418770d7f7adb09f49d80ed2557221b70a879e0cd05a9715e2981bb23bd1cbbc8137431

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr730788.exe
Filesize
11KB

MD5
a5569b37458871722ce0ff1f5e954903

SHA1
a5675df2a5c6056b17247679d2521f0a3304a46c

SHA256
e0cbcc50748123d3a79365c770f4823dcc7586c0429ff0f3b06714c8cff3b20f

SHA512
ab62d7b8b392a9cd88399f826ba6f4e6b6e591f902e13d718bc5a989f418770d7f7adb09f49d80ed2557221b70a879e0cd05a9715e2981bb23bd1cbbc8137431

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku364252.exe
Filesize
406KB

MD5
fd216b10901e4f0bfa6e51ca58e836f8

SHA1
0ca6da6af5eddfb944bcee13016e5f9d82254e5e

SHA256
30694b600bc9b749d6200231c012ce8543402b907ec24871fc40ca094f0caad5

SHA512
aea8beb778e5f11a5f69c3d8303bf76a7899e83c2acb7e8efa76324562363a3c423c74c274e3908023ccab3e7ddd20f4a2767617327f39321290a2113c1e1c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku364252.exe
Filesize
406KB

MD5
fd216b10901e4f0bfa6e51ca58e836f8

SHA1
0ca6da6af5eddfb944bcee13016e5f9d82254e5e

SHA256
30694b600bc9b749d6200231c012ce8543402b907ec24871fc40ca094f0caad5

SHA512
aea8beb778e5f11a5f69c3d8303bf76a7899e83c2acb7e8efa76324562363a3c423c74c274e3908023ccab3e7ddd20f4a2767617327f39321290a2113c1e1c83

Download Submit
memory/2104-188-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-198-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-147-0x00000000071D0000-0x00000000076CE000-memory.dmp

Filesize
5.0MB

Download
memory/2104-146-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/2104-148-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/2104-149-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/2104-150-0x0000000004C10000-0x0000000004C54000-memory.dmp

Filesize
272KB

Download
memory/2104-151-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-152-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-154-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-156-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-158-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-160-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-162-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-164-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-166-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-168-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-170-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-172-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-174-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-176-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-178-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-180-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-182-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-184-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-186-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-144-0x0000000004B80000-0x0000000004BC6000-memory.dmp

Filesize
280KB

Download
memory/2104-190-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-192-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-194-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-196-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-145-0x0000000002BA0000-0x0000000002BEB000-memory.dmp

Filesize
300KB

Download
memory/2104-200-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-202-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-204-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-206-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-208-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-210-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-212-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/2104-1057-0x0000000007E20000-0x0000000008426000-memory.dmp

Filesize
6.0MB

Download
memory/2104-1058-0x0000000007870000-0x000000000797A000-memory.dmp

Filesize
1.0MB

Download
memory/2104-1059-0x00000000079B0000-0x00000000079C2000-memory.dmp

Filesize
72KB

Download
memory/2104-1060-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/2104-1061-0x00000000079D0000-0x0000000007A0E000-memory.dmp

Filesize
248KB

Download
memory/2104-1062-0x0000000007B20000-0x0000000007B6B000-memory.dmp

Filesize
300KB

Download
memory/2104-1065-0x0000000007CB0000-0x0000000007D16000-memory.dmp

Filesize
408KB

Download
memory/2104-1066-0x0000000008980000-0x0000000008A12000-memory.dmp

Filesize
584KB

Download
memory/2104-1067-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/2104-1068-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/2104-1069-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/2104-1070-0x0000000008B60000-0x0000000008D22000-memory.dmp

Filesize
1.8MB

Download
memory/2104-1071-0x0000000008D50000-0x000000000927C000-memory.dmp

Filesize
5.2MB

Download
memory/2104-1072-0x00000000093B0000-0x0000000009426000-memory.dmp

Filesize
472KB

Download
memory/2104-1073-0x0000000009430000-0x0000000009480000-memory.dmp

Filesize
320KB

Download
memory/2104-1074-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/3096-1080-0x0000000000760000-0x0000000000792000-memory.dmp

Filesize
200KB

Download
memory/3096-1081-0x0000000005190000-0x00000000051DB000-memory.dmp

Filesize
300KB

Download
memory/3096-1083-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/3260-137-0x0000000006A40000-0x0000000006ACE000-memory.dmp

Filesize
568KB

Download
memory/3260-138-0x0000000000400000-0x0000000002BE9000-memory.dmp

Filesize
39.9MB

Download
memory/4964-136-0x00000000005D0000-0x00000000005DA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads