redline | bed0967b6dbd7ef65723596720ef8427a52ed8427055edde835a86453975add1

General

Target

bed0967b6dbd7ef65723596720ef8427a52ed8427055edde835a86453975add1.exe
Size

695KB
MD5

ff97c244519d2ef09232dc3b3fd0df40
SHA1

bf430a234b6f8967649af54b5012b8bc1806aa6d
SHA256

bed0967b6dbd7ef65723596720ef8427a52ed8427055edde835a86453975add1
SHA512

34d368b2fcc3dea559e64a9dc9882362b426b7d3699a6f62d7dfad372cbb8181fc8377ea5d60158f8b89b15bef75a29e8885cc6239648bee601b4e21d4296bfe
SSDEEP

12288:3MrFy90yjV6TQM0UnkoHHRTtDHW4PqrY4Q6PLZ2VTMEL/anUalDlWQT+4au:OyXot9m4oY4Q6PIn/OUSlWQT+pu

Score

10^/10

redline muse rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

muse

C2

176.113.115.145:4125

Attributes

auth_value
b91988a63a24940038d9262827a5320c

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pro1839.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro1839.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro1839.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro1839.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro1839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro1839.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro1839.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4064-191-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4064-192-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4064-194-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4064-196-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4064-198-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4064-200-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4064-202-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4064-205-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4064-208-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4064-212-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4064-214-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4064-216-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4064-218-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4064-220-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4064-222-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4064-224-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4064-226-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4064-228-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

un848404.exepro1839.exequ1144.exesi447705.exe

pid process

4216 un848404.exe
1316 pro1839.exe
4064 qu1144.exe
4764 si447705.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4216	un848404.exe
1316	pro1839.exe
4064	qu1144.exe
4764	si447705.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pro1839.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro1839.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro1839.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bed0967b6dbd7ef65723596720ef8427a52ed8427055edde835a86453975add1.exeun848404.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bed0967b6dbd7ef65723596720ef8427a52ed8427055edde835a86453975add1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bed0967b6dbd7ef65723596720ef8427a52ed8427055edde835a86453975add1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un848404.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un848404.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2416 sc.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3312 1316 WerFault.exe pro1839.exe
4732 4064 WerFault.exe qu1144.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pro1839.exequ1144.exesi447705.exe

pid process

1316 pro1839.exe
1316 pro1839.exe
4064 qu1144.exe
4064 qu1144.exe
4764 si447705.exe
4764 si447705.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pro1839.exequ1144.exesi447705.exe

description pid process

Token: SeDebugPrivilege 1316 pro1839.exe
Token: SeDebugPrivilege 4064 qu1144.exe
Token: SeDebugPrivilege 4764 si447705.exe

pid	process
2416	sc.exe

pid	pid_target	process	target process
3312	1316	WerFault.exe	pro1839.exe
4732	4064	WerFault.exe	qu1144.exe

pid	process
1316	pro1839.exe
1316	pro1839.exe
4064	qu1144.exe
4064	qu1144.exe
4764	si447705.exe
4764	si447705.exe

description	pid	process
Token: SeDebugPrivilege	1316	pro1839.exe
Token: SeDebugPrivilege	4064	qu1144.exe
Token: SeDebugPrivilege	4764	si447705.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

bed0967b6dbd7ef65723596720ef8427a52ed8427055edde835a86453975add1.exeun848404.exe

description	pid	process	target process
PID 2132 wrote to memory of 4216	2132	bed0967b6dbd7ef65723596720ef8427a52ed8427055edde835a86453975add1.exe	un848404.exe
PID 2132 wrote to memory of 4216	2132	bed0967b6dbd7ef65723596720ef8427a52ed8427055edde835a86453975add1.exe	un848404.exe
PID 2132 wrote to memory of 4216	2132	bed0967b6dbd7ef65723596720ef8427a52ed8427055edde835a86453975add1.exe	un848404.exe
PID 4216 wrote to memory of 1316	4216	un848404.exe	pro1839.exe
PID 4216 wrote to memory of 1316	4216	un848404.exe	pro1839.exe
PID 4216 wrote to memory of 1316	4216	un848404.exe	pro1839.exe
PID 4216 wrote to memory of 4064	4216	un848404.exe	qu1144.exe
PID 4216 wrote to memory of 4064	4216	un848404.exe	qu1144.exe
PID 4216 wrote to memory of 4064	4216	un848404.exe	qu1144.exe
PID 2132 wrote to memory of 4764	2132	bed0967b6dbd7ef65723596720ef8427a52ed8427055edde835a86453975add1.exe	si447705.exe
PID 2132 wrote to memory of 4764	2132	bed0967b6dbd7ef65723596720ef8427a52ed8427055edde835a86453975add1.exe	si447705.exe
PID 2132 wrote to memory of 4764	2132	bed0967b6dbd7ef65723596720ef8427a52ed8427055edde835a86453975add1.exe	si447705.exe

C:\Users\Admin\AppData\Local\Temp\bed0967b6dbd7ef65723596720ef8427a52ed8427055edde835a86453975add1.exe
"C:\Users\Admin\AppData\Local\Temp\bed0967b6dbd7ef65723596720ef8427a52ed8427055edde835a86453975add1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un848404.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un848404.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1839.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1839.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1080
4⤵
- Program crash
PID:3312

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1144.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1144.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1348
4⤵
- Program crash
PID:4732

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si447705.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si447705.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1316 -ip 1316
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4064 -ip 4064
1⤵
PID:4044

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:2416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si447705.exe
Filesize
175KB

MD5
9ab212e7bfa3bb63d572ef4310a3f7fe

SHA1
c11ad9e8ccbd36360e5f6ce68ad32d2d2a27cf72

SHA256
abc774dc79ecf5feef36463d5fc949a6dc71ee4afd9881d52a6b932caaa10405

SHA512
3aabeabc562a0a6a8f65c3b8def5ba19d2808e2910b77fe23fa88012f8dac2600dc434b6998b411977bab25518cfc62d3f6b7de52042a0dad4c8e099a10c9693

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si447705.exe
Filesize
175KB

MD5
9ab212e7bfa3bb63d572ef4310a3f7fe

SHA1
c11ad9e8ccbd36360e5f6ce68ad32d2d2a27cf72

SHA256
abc774dc79ecf5feef36463d5fc949a6dc71ee4afd9881d52a6b932caaa10405

SHA512
3aabeabc562a0a6a8f65c3b8def5ba19d2808e2910b77fe23fa88012f8dac2600dc434b6998b411977bab25518cfc62d3f6b7de52042a0dad4c8e099a10c9693

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un848404.exe
Filesize
554KB

MD5
c6145ac78d5816e0cffd0344e1441303

SHA1
98c39ee6a0d26ae22b9f1436213dab945ed1de9d

SHA256
26b425d393ed8d907f8fe4a6f2b741db9188c420d825f5026f97512b57c6b682

SHA512
07caf3cdf643fff190888ccc9a82094be0a40eba4d66a18fd2b892b0d6486428abdf534fbff1e3dd8efb92dbd3b3b9af235758aa7757944fb671b7317735c849

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un848404.exe
Filesize
554KB

MD5
c6145ac78d5816e0cffd0344e1441303

SHA1
98c39ee6a0d26ae22b9f1436213dab945ed1de9d

SHA256
26b425d393ed8d907f8fe4a6f2b741db9188c420d825f5026f97512b57c6b682

SHA512
07caf3cdf643fff190888ccc9a82094be0a40eba4d66a18fd2b892b0d6486428abdf534fbff1e3dd8efb92dbd3b3b9af235758aa7757944fb671b7317735c849

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1839.exe
Filesize
347KB

MD5
535b458a5a4aa2744d8b1ed25f907484

SHA1
b2790ffc897029152c55d824269ab9473d105ec2

SHA256
4f08edf4a485d7f8a6b24e9ef0a814593b2e985b9baa29702c0bbb5b0eef6b73

SHA512
ab0b455d68fa2277d7d65c925cc67d36c492e351fdbbb8dc31c628bf3151d1883afb70497cc3a0712824591ba010d139a3646f131247de15dbf3c6fc10da5d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1839.exe
Filesize
347KB

MD5
535b458a5a4aa2744d8b1ed25f907484

SHA1
b2790ffc897029152c55d824269ab9473d105ec2

SHA256
4f08edf4a485d7f8a6b24e9ef0a814593b2e985b9baa29702c0bbb5b0eef6b73

SHA512
ab0b455d68fa2277d7d65c925cc67d36c492e351fdbbb8dc31c628bf3151d1883afb70497cc3a0712824591ba010d139a3646f131247de15dbf3c6fc10da5d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1144.exe
Filesize
405KB

MD5
253d440dce759a685c728d7cd516edb8

SHA1
a2c447a0d7f178e729b638a2a1bb55a48c3c526d

SHA256
a2a0fc6da0d1dc57789a2114b8dcf2f9d2e4a54d371d523b341e42e1de469669

SHA512
5d9fd07902a13eb6706c9288333bb81c6ea0e2c54dd8672e5cd6941e95df6ecd2949475be765012e19fc779f28eb0861bb4611dc7aabe12bb2ac963329f55d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1144.exe
Filesize
405KB

MD5
253d440dce759a685c728d7cd516edb8

SHA1
a2c447a0d7f178e729b638a2a1bb55a48c3c526d

SHA256
a2a0fc6da0d1dc57789a2114b8dcf2f9d2e4a54d371d523b341e42e1de469669

SHA512
5d9fd07902a13eb6706c9288333bb81c6ea0e2c54dd8672e5cd6941e95df6ecd2949475be765012e19fc779f28eb0861bb4611dc7aabe12bb2ac963329f55d55

Download Submit
memory/1316-148-0x0000000004560000-0x000000000458D000-memory.dmp

Filesize
180KB

Download
memory/1316-149-0x00000000072F0000-0x0000000007894000-memory.dmp

Filesize
5.6MB

Download
memory/1316-150-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1316-151-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1316-153-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1316-155-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1316-157-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1316-159-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1316-164-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1316-162-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1316-161-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1316-166-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1316-165-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1316-168-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1316-170-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1316-172-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1316-174-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1316-176-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1316-178-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1316-180-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1316-181-0x0000000000400000-0x0000000002B84000-memory.dmp

Filesize
39.5MB

Download
memory/1316-183-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1316-185-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1316-184-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1316-186-0x0000000000400000-0x0000000002B84000-memory.dmp

Filesize
39.5MB

Download
memory/4064-191-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4064-192-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4064-194-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4064-196-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4064-198-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4064-200-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4064-202-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4064-204-0x0000000002C70000-0x0000000002CBB000-memory.dmp

Filesize
300KB

Download
memory/4064-205-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4064-206-0x00000000070D0000-0x00000000070E0000-memory.dmp

Filesize
64KB

Download
memory/4064-208-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4064-209-0x00000000070D0000-0x00000000070E0000-memory.dmp

Filesize
64KB

Download
memory/4064-212-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4064-211-0x00000000070D0000-0x00000000070E0000-memory.dmp

Filesize
64KB

Download
memory/4064-214-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4064-216-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4064-218-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4064-220-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4064-222-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4064-224-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4064-226-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4064-228-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4064-1101-0x00000000078E0000-0x0000000007EF8000-memory.dmp

Filesize
6.1MB

Download
memory/4064-1102-0x0000000007F80000-0x000000000808A000-memory.dmp

Filesize
1.0MB

Download
memory/4064-1103-0x00000000080C0000-0x00000000080D2000-memory.dmp

Filesize
72KB

Download
memory/4064-1104-0x0000000008120000-0x000000000815C000-memory.dmp

Filesize
240KB

Download
memory/4064-1105-0x00000000070D0000-0x00000000070E0000-memory.dmp

Filesize
64KB

Download
memory/4064-1107-0x00000000083D0000-0x0000000008462000-memory.dmp

Filesize
584KB

Download
memory/4064-1108-0x0000000008470000-0x00000000084D6000-memory.dmp

Filesize
408KB

Download
memory/4064-1109-0x0000000008C90000-0x0000000008E52000-memory.dmp

Filesize
1.8MB

Download
memory/4064-1110-0x0000000008E70000-0x000000000939C000-memory.dmp

Filesize
5.2MB

Download
memory/4064-1111-0x00000000070D0000-0x00000000070E0000-memory.dmp

Filesize
64KB

Download
memory/4064-1112-0x00000000070D0000-0x00000000070E0000-memory.dmp

Filesize
64KB

Download
memory/4064-1113-0x0000000009620000-0x0000000009696000-memory.dmp

Filesize
472KB

Download
memory/4064-1114-0x00000000096B0000-0x0000000009700000-memory.dmp

Filesize
320KB

Download
memory/4064-1115-0x00000000070D0000-0x00000000070E0000-memory.dmp

Filesize
64KB

Download
memory/4764-1121-0x0000000000310000-0x0000000000342000-memory.dmp

Filesize
200KB

Download
memory/4764-1122-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads